Research on Security and Identity Management (by Marco Casassa Mont) : IAM

Identity Management and the IT Monoculture

marcocasassamont — Wed, 04 Mar 2009 17:55:00 GMT

A recent article (called "IT Monoculture: Security Risks and Defenses") published by the IEEE Security and Privacy magazine, discusses pros and cons of having an IT Monoculture, i.e. where no diversity is introduced for specific IT solutions deployed within organizations.

Quite interestingly this applies also for Identity Management. On one side deploying the same Identity Management (IAM) solutions across an organization increases efficiency, central control and uniformity. On the other hand, it might potentially increases the exposure of the organization to threats and related risks.

I guess that, at the end, it is a matter of economics, involving trade-offs between involved costs, security and productivity.

This is an area where modeling and simulation (see Security and Identity Analytics) might be of some help, to explore, predict and identify the most suitable approach for an organization, given the organization profile and the underlying threat environment.

Just wondering if there is any recent, official study (I have not yet found it ...) exploring the current level of "IAM-diversity" within organizations. Any pointer/link would be welcome ...

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

IAM and top IT initiatives in 2009

marcocasassamont — Wed, 18 Feb 2009 23:23:00 GMT

This article, called "Encryption top IT Security Initiatives in 2009", provides an overview of a recent Forrester's report, about IT security spending in 2009:

"Full-disk encryption was cited as the top client security technology ...

The survey's respondents also indicated interest in deploying identity and access-management (IAM) technologies, particularly single sign-on, unified monitoring of users' rights and activities and provisioning. The main reason given for adopting IAM was security and governance along with regulatory compliance. Among the technologies least anticipated to be piloted or adopted is application lockdown for endpoint control"

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Article: Changing business landscape makes IAM key to IT Security

marcocasassamont — Wed, 19 Nov 2008 17:24:00 GMT

Here is a recent, interesting article, called "Changing business landscape makes identity and access management key to IT security":

"In an age of significant layoffs and corporate restructuring, the burgeoning problem of identity and access management for IT operations and data centers has escalated into a critical security issue. Managing who gets access to which resources for how long - and under what circumstances - has become a huge and thorny problem. Improper and overextended access to sensitive data and powerful applications can cause massive risk as many employees find themselves in flux."

This article provides some excerpts from a discussion with Dan Rueckert (worldwide practice director for security and risk management in HP's Consulting and Integration group); Archie Reed (distinguished technologist in HP's security office in the Enterprise Storage and Server Group), and Mark Tice (vice president of identity management at Oracle).