Wednesday, July 7, 2010

Kuppinger Cole Analyst names Engiweb Security a “Hidden Gem” in GRC

What a good surprise! We are very pleased to be included in the “Hidden Gems 2010” report from Kuppinger Cole in the “GRC market segment - “Governance, Risk Management, Compliance”.

According to the Kuppinger Cole report: Hidden Gems are vendors which are (still) relatively small, less known then "the big ones", and which definitively offer innovative solutions that are worth considering. These vendors are not (yet) stars in the worldwide IAM, GRC, and Cloud markets.
It is in the nature of grinding Hidden Gems that some will not become the sparkling diamonds we expect today. Some will become acquired. However, there are strong opportunities in selecting products and services of innovative, young vendors – of the Hidden Gems.
The selected vendors are distributed into four categories. Besides GRC, categories include IAM, IT Security and Cloud.

You may recall that a few months ago we were also named “Cool vendor” by Gartner. The inclusion of our solution in the Kuppinger report reinforces the fact that we have a solution that is sound, distinct, concrete and able to solve customer problems and ensure success of business objectives.

But… but… as I already stated in my previous post, this is not enough! I don’t want to start the usual rail about the few “Ugly, Dirty and Bad” big companies again. It’s very frustrating to notice, however, that we always have to demonstrate or prove something, while just a few words and a PowerPoint presentation is enough for the “ big brand”.

This is a recent example: the prospective customer wants to implement a complete role-based Identity & Access Governance project by the end of 2010.
Our foe say “No problem”!
….. but wait a minute: the foe has also just affirmed that the roadmap for a new module - that is mandatory for the project – will not be integrated before October 2010, and on top of that the official timeline is CY2011!
How will they comply this to the project deadline, since lots of custom developments are required and the tools are not yet available? A mystery!
Alternatively, we humbly proposed a pitfall free solution with technical features that are at least ‘on par’ with the competitor’s. A solution with almost all functionalities natively available from our IDEAS platform without the need for further coding or custom developments… and obviously with the possibility to implement a POC in weeks.

The (ex) prospective customer verdict was: sorry, but we trust them and feel comfortable joining their grand vision”. No further explanations given!!
Is this a healthy competition?

Going back to the report spirit: Hidden Gems should mean that there are some fascinating less-known solutions on the market worthy of evaluation - including ones you possibly never knew existed!
The complete report is available to Kuppinger Cole clients here.

Monday, May 24, 2010

Live and let Live

It is time to put my two cents to the ongoing dialogue revolving around RBAC versus ABAC.

My impression is that talking RBAC down is presently in fashion and used as a pretext to promote ABAC.

The pro-ABAC Advertisement Campaign foresees an impressive list of reasons. The most popular among them are:
  • RBAC projects start with high expectations
  • The real world just happens to be too complex to model efficiently with RBAC.
  • RBAC misses the context
  • RBAC is very costly
  • RBAC is almost impossible to finalise
  • RBAC is Static
  • RBAC leads to Role explosion
  • RBAC (Roles) are not interoperable
But the “gem” is
  • The RBAC model as opposed to the ABAC model is not context-aware and is thus not well suited to handle SoD requirements.
As a kindness they allow roles to be used in ABAC, as one of the multiple attributes that ABAC can engulf or use to make access decisions.

Now: I can logically agree on all the syllogisms that are used to justify the prevalence of ABAC, but the problem is in the starting axioms: what enterprise authorization solution is actually using “pure” RBAC as a determining factor on whether to grant access to an asset or not?

For instance, our solution IDEAS Enterprise Entitlement Server (the new name of our Enterprise Authorization Server) provides an entitlement model that unifies role-based, rule-based and attribute-based access control.
With this model, entitlements may include dynamic authorization information, such as: contextual attributes (e.g. time of day, value of a transaction, a physical location, ..), user resource attributes (e.g. an account, an organization, ...), and rule-based business logic (e.g. exceptions, call-outs, …).
Of course, historically, we our roots are in Role Management, thus roles have a central position in our solution, but in order to map any application authorization framework, we have included Application mapping capability from the beginning, in our unique data model, that allows for flexible definition and evaluation of complex access control policy sets.

So, instead of only using roles as the determining factor on whether to grant access or not, many attributes can be used. The hybrid adoption of RBAC together with additional context simplifies the making of access control decisions (at finer levels), allows easy compliance with regulations, and very importantly, minimizes governance problems.

Here is an example of authorization policy mapping using IDEAS.

The application is a fiction stock trading application, used by traders in a bank to buy and sell stocks on various stock exchanges.

First of all the model has an:
Actor: the subject (e.g. user that can be mediated by roles, ...) for whom the authorization is evaluated. Example Mr. X with the “Senior Bank Operator” role
and it is based on four entities:
Permission: is an action on the Resource (also called Operation). Example: Trading.
Resource: is the Application element to protect. Example: Stocks.
Constraints: are the Conditions that must be validated to grant the authorization. Two or more Constraints can be merged with a boolean combination of their values. Examples: Trading depends upon the user geographical area; Transfer limit is based on user characteristics; SoD conflict verification in real time.
Exceptions: are other conditions that can further limit the authorization decision and that allow for the creation/evaluation of more complex business logic. Example: Trading not allowed for companies where the user is involved.
that rely on a Role Management infrastructure.

Very lean and straightforward!

I just want to put in a good word now and refute the statements that have been made on Role explosion and SoD management. Once again it is just a matter of selecting the right tools and adopting the appropriate methodology.

In the next post I will try to describe a framework that is able to, not only stop this overstated issue, but above all allow stepped construction of sound and governable role infrastructure. As a matter of fact, it is mainly a matter of using the right tools!

For me, however, the most surprising argument that was raised against RBAC, was SoD management. SoD, and in general, easy compliance is one of the strongest points of adopting Roles in an Access governance framework.
For example, IDEAS offers the possibility to easily define and maintain the scope of roles based on the organization unit structure (for implementing need-to-know, need-to-share). Further, the proposed SoD model allows business users (that might have no knowledge of IT systems) to define potential conflicts among business activities (e.g. “purchase order - creation” or “purchase order approval”) rather than among entitlements, thus decoupling business and IT aspects as well as leveraging a business perspective.

In my opinion (sorry if I now use comparative reasoning) the policy administration issue should not be underestimated. I’m sure that by using IDEAS even a very complex authorization policy is far more viable, thanks to adopted data structuring.
On the other hand, how can XACML policy be set and analyzed? What kind of tools are actually available for managing a very complex application authorization policy with multi-valued requests and rules? What about conflict verification checks?


To wrap-up, I don’t think we need RBAC and ABAC slinging mud at each other (like a typical Coke and Pepsi duel). We don't want to create bad karma: we need to support BOTH! (many agree with this).

Sit down and decipher the most advantageous benefits of your company and its products, without bashing others; because other approaches are also on the horizon… like Risk Adaptive Access Control (RADAC).

It could be a never ending quarrel…

And once again…
Live and let Live

Tuesday, May 11, 2010

Good news from Italy: Piaggio wins award at Kuppinger Cole’s 2010 European Identity Conference

The European Identity Award in the category ‘Best Cloud IAM project’ was conferred to Piaggio, the well known worldwide manufacturer of Vespa scooters, for their use of Engiweb Security’s Identity & Access governance IDEAS solution.

The award recognizes outstanding projects as well as innovations and additional developments of standards. Directly from the awards page:
In the category “Best IAM Project in Cloud Computing”, […] The award was received by Piaggio Group of Italy for a hosted IAM solution based on products by Engiweb and focusing on defined, enterprise-wide business processes […] Both the number of nominees for the European Identity Award 2010 and the quality of the project submitted far surpassed last year. This is seen by Kuppinger Cole as a general sign of increasing maturity in IAM and GRC solutions. Especially notable was the number of nominations in the category “Cloud Computing”, a trend that the analyst group feels will be sure to continue over the next few years.

During the event Piaggio’s representative, Lorenzo Mastropietro, presented the company’s customer case explaining that Piaggio’s aim when they started was that of having a classic Identity Management project and from the beginning they had a clear vision of their business needs. Thus, even if the main targets were Access governance and Compliance improvements, Lorenzo highlighted how even the “basic” password reset functionality was sufficient to justify project investments. As a matter of fact, he is now using these early successful results to support internal marketing activities, in order to more fully involve all stakeholders and gain more support for future development.

Furthermore, thanks to the IM outsourced project, Piaggio does not need internal staff to execute IM operations and does not spend time and resources for its maintenance. The implemented solution makes it possible to delegate a big part of the ICT activities to the Outsourcer, allowing Piaggio to concentrate on aspects linked to business. (policy definition, workflows, role engineering, etc. …).

Friday, April 30, 2010

Vaso di coccio tra vasi di ferro

Blow the trumpets and blow the horns: we’re extremely happy that Engiweb Security has been announced as one of Gartner’s “Cool Vendors” for 2010, in the Application Security category. This is all thanks to the IDEAS platform that, even if could be best positioned as part of the market segment of “Access Governance Platform”, among other things provides additional support for Entitlement Management.

Will this acknowledgment create business opportunities for us in the international market? Will being a Gartner-certified “Cool Vendor” attract potential customers like bees to honey?

How to tell? This market is so strange!

Perhaps I’m a bit too disenchanted, but as a matter of fact, we still have to face a market where more than 60% of the customers do not perform serious “vendor selection” when they need to decide how to implement an identity management project.

As stated in the KPMG/Everett “2009 European Identity and Access Management Survey”, that can be downloaded here:
“When organizations are selecting their required IAM solution, a large amount acquire the solution of their preferred supplier and only 18% perform a vendor selection in order to select a ‘best of breed’ solution”
It is easy to guess who these “very very large” preferred vendors are…. however this may result in a “hidden” failure for the customer: licenses acquired and at once abandoned with no project that was implemented at all! (Hard to believe, but not everybody realizes that the implementation of a project is the biggest cost for an IM initiative).

I’m definitely pessimistic these days…

Anyway we at Engiweb Security have no intention of resting on our laurels… and we have some really cool things planned for the next product releases: Risk metrics/management and XACML support.
------------
Vaso di coccio tra vasi di ferro
This typical Italian expression was probably coined by Alessandro Manzoni who, in the first chapter of his masterpiece “Promessi Sposi” (The Betrothed), writes:

Il nostro Abbondio, non nobile,non ricco, coraggioso ancor meno s’era accorto, prima quasi di toccare gli anni della discrezione, d’essere in quella società, come un vaso di terra cotta, costretto a viaggiare in compagnia di molti vasi di ferro.
(Translation: Our Abbondio, not noble, not rich, not courageous, was therefore accustomed from his very infancy to look upon himself as a vessel of fragile earthenware, obliged to journey in company with many vessels of iron.)

The metaphor is clear: the vessel of fragile earthenware (Vaso di coccio) surrounded by many iron vessels (vasi di ferro), during a journey along a dirt road can easily be broken at the first little impact. Nowadays this expression describes a tricky situation where a person finds himself as a minority among hardened opponents.

Thursday, April 29, 2010

See you at European Identity Conference ’10?

In Munich, for "European Identity Conference 2010" next week?

KuppingerCole European Identity Conference 2010 starts this coming Monday in Munich - Germany. It is Europe's largest Conference on Identity & Access Management with more than 50 exhibitors.
I'll be there looking to share, learn, get news and ideas. Engiweb Security will also be present with a booth in the exposition area and a number of IM experts available for any related inquiries.

We are involved in several sessions, you can look at the complete agenda here.

Also our customer Piaggio (yes, the manufacturer of the legendary Vespa scooter) will be presenting a case study based on its Managed IM Service Project at 11:00 on Wednesday, May 5. It will be a highly informative speech, so I hope you will attend.

Wednesday, March 31, 2010

Back to Blogging

After a long period of inactivity, due to several internal and external factors, here I am ready to write about Roles and Identity Management again!

It has been almost a year since my last post. During this period, I haven’t had a lot of time for things like the blog, and this was a big mistake for various reasons. One of these being that since Engiweb Security is an engineering-focused organization that has not given a lot of attention to marketing, this blog can (among other IdM related considerations) try to support efforts to raise its profile and properly position Engiweb Security in the marketplace.

While I was gone, there have been a number of notable movements in the market, and many of the latest announcements involve IAM: Oracle swallowing up SUN, Gartner taking over Burton Group, etc…
In the meantime it looks like the Role Management bandwagon is as hot as when I started neglecting this blog months ago.
Furthermore, Engiweb Security is in the process of better positioning its offer in order to avoid possible miscommunications or challenges to our potential clients.

In a week or so, I’ll post a blog about the evolution of IDEAS (our Identity &Access Governance solution) and our latest partnership deals.
I also still plan on posting articles about current IdM debates. For instance, I find the ABAC-RBAC heated debate very exciting, and it still arouses my curiosity. BTW why are they still using the “Role Explosion” hackneyed and false excuse to justify that RBAC is not usable?

Anyway… back to us! For now, the Engiweb team has published new academic papers for the security community, describing the conceptual model used in the IDEAS solution in detail.
  • A. Colantonio, R. Di Pietro, A. Ocello, and N. V. Verde. “Taming Role Mining Complexity in RBAC”. Computers & Security, Challenges for Security, Privacy & Trust (special issue), Elsevier, 2010.
  • A. Colantonio, R. Di Pietro, A. Ocello, and N. V. Verde. “ABBA: Adaptive Bicluster-Based Approach to Impute Missing Values in Binary Matrices”. In Proceedings of the 25th ACM Symposium on Applied Computing, SAC '10, Sierre, Switzerland, March 2010.
  • A. Colantonio, R. Di Pietro, A. Ocello, and N. V. Verde. “A Formal Framework to Elicit Roles with Business Meaning in RBAC Systems”. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT '09, Stresa, Italy, June 2009.
If you are interested in receiving the full texts, please send me an e-mail: my surname at eng dot it.