Musings on Bruno Munari thoughts

Last Sunday I was walking downtown in the historical center of Rome, and as I was strolling along the Tiber river I came across the Ara Pacis Museum. These days the exhibit area inside Ara Pacis is hosting an exhibition on Bruno Munari.
The new museum, designed by the Richard Meier architect is quite charming: I like its pristine structure that is full of light, but what really touched me was the Bruno Munari exhibition.
In fact Munari’s works and his attitude of whimsy and sheer inventive imagination were actually venerated by me when I was a kid.

From the catalog:

“Munari’s life (1907-1998) and career spanned the 20th century, and he was among the most seminal exponents of Italian design and graphic design. Yet he never received the accolades and recognition on an international scale that he so richly deserved. What sets Munari apart from other designers is that he engaged in a quiet, playful revolution, inventing and designing with humorous and modest creativity, challenging all conventions and stereotypes intelligently but without flamboyance.”

But let me tell you why I’m speaking of Bruno Munari in this blog.

Walking along the exhibit set course, I noticed some of Munari’s sentences on the walls, and among them one in particular attracted some attention:

“Progresso è quando si semplifica, non quando si complica”
“Progress is when things get simpler, not more complicated”

I like to use quotes to mix things up: in this case Bruno Munari reminds me of the aggregation (and/or acquisition) processes currently taking place in the Identity Management space.
We, as all vendors, are supporting our customers move from automating infrastructure procedures (that is meta-directory services, basic identity administration and access management) to enabling business processes, towards the satisfaction of the new requirements for Governance, Risk and Compliance (GRC).
Thus most vendors started down that path of adding new features, and new modules; often with the shortcut of specialized company acquisitions.

And the result is. ......Yes, for sure we are allowed to check the coarse grain Role checkbox in RFP's, and if the prospect asks for a POC we can always mask the mess, ..... and in parallel: let’s pump cosmetic marketing campaigns.

So if the product isn’t built, since the beginning, around a data model that is able to natively manage all processes linked to identity, role life cycles and access governance, just two alternatives are available:

• Rewriting from scratch the product around a coherent and complete data model;
• Try immediately to trim the fat, hide the complexity and hope that the discrepancy that exists will definitely be decreased in the next releases and beyond…

What is happening in the present Enterprise Role management vendor acquisition fever is quite typical.

Is it possible to really integrate an Identity Management solution with an Advanced Role Management solution? And what are the risks associated with this two-headed architecture?

I will write more about this in the next post and try to explain our idea of integrated solution that is able to natively support all the needed features in a scenario, where Advanced Role Management capabilities together with strong Authorization Management is gaining momentum

SOA and IAM are growing together

As promised in my previous post I’m introducing a new feature that adds a lot of value to our IDEAS solution: the support of SOA-based integration platform for providing a direct connection to Resource Target systems. This is the starting point for a clear commitment to SOA support, which we hope will continue to grow.
Collaboration between SOA (Service-Oriented Architectures) and Identity Management is an important requirement for many customers that have SOA based applications, and are looking for an application-wide use of identity and authorization data.

What we have done was simply to optimize the synergies with our mother company: Engineering Ingegneria Informatica (EII).
Actually EII is a strategic member and co-founder of the international OW2 Consortium. Within this Consortium, EII is particularly active on the project Spagic that aims at enlarging the OW2 Consortium code-base to support the development of business applications according to the SOA (Service Oriented Architecture) paradigm.

"Spagic is a solution composed by a set of visual tools and back-end applications oriented towards planning, realization, deploy and monitoring of ESB infrastructures adherent to the SOA paradigm. By means of visual tools, Spagic can be easily adopted by different categories of users involved in integration projects, such as: analysts defining the integration processes, developers realising application services, users monitoring and managing the entire system."

Engiweb Security has built specific components of IDEAS integrating SPAGIC (that includes ServiceMIX), in order to be able to directly support a SOA-based integration platform.
The first output is the capability to access JDBC Resource Target directly via a SOAP adapter.
Using its native JMS interface, the IDEAS platform can now exchange events with SPAGIC and on other side targets are connected to the JDBC Communication Layer provided by the SPAGIC SOA/BPM Enterprise Integration Framework.
So a customer is able to centralize the administration of user identities and their associated access privileges to corporate resources using the central IDEAS module, and using the SOA Interface it allows the synchronization of Identity/roles data with external applications that manage such information in a JDBC environment.
As a matter of fact, in this scenario a consistent state of identity information in connected external systems is provided without the need of a “traditional” resource provisioning systems (e.g. Novell’s Identity Manager connectors).

Extending the Scenario

1. We are working to integrate IDEAS with other SOA Platforms such as JBOSS-ESB and TIBCO.
2. The integration of SOA Platforms will gather in pace and importance in this coming year with the result that events coming in and out from IDEAS will be processed by an orchestration of different services and data integration oriented services, allowing for complex Business Logic implementations and collaborative activities within several Web services.

A pragmatic approach to “Virtualization”

My company, Engiweb Security, is quite small, but I think, has many strengths and is well positioned to play a vital role in the role based identity management and the GRC markets.
One of the innovative aspects that, is worth sharing is our approach to “Virtualization”. Here we don’t want to take sides in the dispute between Meta-Directories versus Virtual Directories: they are both well respected technologies and, looking at our solution IDEAS, I view these technologies as complementary. As a matter of fact we have a hybrid approach.
Most Identity related information is consolidated in the IDEAS master repository (based on a RDBMS) using specific connectors to Target Resources. But there is also an interface to other repositories to provide the required attributes without any need to move information from the existing user repository, thus providing a combined view of all user data.

In other words a sort of “Virtual Directory” or "Identity Virtualization".

The combination of the Master Repository with its strong data model behind (able to manage identity information, policies, business roles, …) and the Virtual data aggregation, allows an external application to have all the needed information to act in a secure way.
For this purpose IDEAS is equipped with API JAVA, API .NET and Web Services which permit an external application to see the required data as one data source, and recover the user security context.
So, applications might require user data that is stored non only in the central IDEAS repositories, but also in scattered different repositories (DB, directories, ..).
This approach makes it possible to keep the central repository lean, no need to fatten it if an application needs some specific data (i.e. external attributes) that are not relevant for other applications.
Furthermore some of these external attributes could also support the internal rule engine processes, where some decisions have to be taken considering specific parameters.

In the next post I’ll introduce another element that, from my point of view, adds a lot of value to our IDEAS solution: the support of SOA-based integration platform for providing a new generation of “Target Resource” connectors.

Do I have an alter ego?

A few days ago I received an e-mail from Courion Corporation: “Register Today: Sept Webinars Now Posted”. … and reading the content, I jumped.


Yes, one of the webinar title was just like the name of this blog: “Roles in Action”.

Of course I will not claim ‘firstborn’ rights. Very often in marketing you can create a catchword using a simple buzzword generator. For example, within my company we recently named a webcast: “Role Management: unlock the complete value of Identity Management, take full control over Compliance”. Not very original, is it?

Anyway, I am looking forward to this webinar. I hope that Courion speaker, Chris Sullivan, will agree with my blog subtitle: “Roles can’t be built in a day”.

No man is prophet in his own country

An Italian crazy approach to Identity Management projects

Preliminary remarks

1. An Organization is launching an Identity Management Project where almost 80% of the foreseen IM processes require an authorization workflow.
2. The Organization has selected an IM technology platform
3. However, the requirements are so complex that it isn’t possible to meet them just with a customization of the web application of the vendor’s IM product
4. Furthermore it is the Organization itself that suggests custom developments for the web application.
5. … thus almost 80% of the IM project requires ex-novo software developments
6. What a crazy world!!

Actual Story
We just received an Identity Management (IM) RfP from a large Italian company.
It seems that they have already done an internal technical evaluation, as they are asking mainly a system integration effort based on Oracle Identity Manager product.

From the RfP, translated from Italian: “(the company) wants to equip itself with an Identity Management system for supporting: the digital identity management processes, the software applications and other platforms authorization processes. To this end (the company): has identified in the Oracle Identity Manager product the technology to be used for implementing the system, has carried out a feasibility analysis, and has defined constrains and requirements for the implementation”.

Thus, just a system integration effort. They have done a rigorous vendor selection, and verified the feasibility of the project using the selected product.

Ok, fine, … but uhmm… they also want to develop new custom clients for specific functionalities not available from Oracle Identity Manager Web Application.

As a matter of fact, they have expressly invited the bidder not to customize the web application interface of the Oracle Identity Manager Administrative and End-User Console, but to implement the web interfaces using a “custom client” approach, i.e. a SW development based on Oracle Identity Manager Software Developer Kit (API).

Again from the RfP:

• “From the (Company) requirements analysis, we want to draw bidder's attention to the following set of remarks pertaining to the requests management:
• Roles (User Manager, Authorization Steward, Operator) of all users involved in a request approval process, need to have different scopes (or views), based on resource object attributes that represent the requested resource. For instance the User Manager doesn’t need to access fields like account identifier; this field, on the contrary, must be set by the AM function that creates the account on the target system. The first access password should be set by AM, displayed for the end user, not available by any other, and so on…”
• A fill-in request process must be guided by specific wizards aimed at effectively supporting the end user. For instance a User Manager that wants to grant the access to an Application for one of his collaborator, must first of all select the user from a predefined list of all his collaborators. Then he must be able to select the application and related profile. The system must be able to guide him, by offering the standard profile (or in case, a list of standard profiles) associated both to the selected application and to the end user belonging Organization Unit.
• ……..........
• A user must be able to submit a request for modifying his assigned profile for application authorization, but the present release of Oracle Identity Manager doesn’t allow out-of-the-box to implement workflow for approval of modify requests of resources attributes already assigned to users.”

The questions is:

• Does exist a product out there able to manage, out-of-the-box the above listed features, or at least able to provide a rich, exhaustive support for these functionalities?

Disclaimer
Yes, Engiweb Security can help with most of the above described missing features. For instance, reading from Engiweb Security IDEAS brochure:
“Administrator scope dynamic association in workflow processes. It is often necessary that workflow figures (delegated or peripherals administrators) have a limited scope both for users (only certain OU users) and Applications (i.e. this administrator only approves profile requests that belong to a specific application).”
There is no reason for me not to talk about it! ...but in short: is there someone who is interested? (certainly nobody in Italy).

Postscript
As soon as I ended this post, I discovered that some bloggers are discussing on FACTs and FUDs here and here.
The above described example well fits into the discussion.
We are a vendor used to face behemoths like ORACLE and SUN. In this post the Oracle products were mentioned, but I can give examples on SUN too. As the saying goes “People who live in glass shouldn’t throw stones!”

How to add "intelligence" to IAM

One of my colleagues just finished up a White Paper that is worth reading: “Let the Good Times Roll: Role Management for Enterprises Is Possible“.
The paper tries to explain how to add “intelligence” to a “classic” IAM solution. It also collects some concepts and examples I have already touched on in this blog.

Here is an excerpt addressing on the concept of Application.

In a large Organization environment there are many "Applications” managing both authentication and authorisation using (for instance) Active Directory groups.
In this context, with a single technological target (AD) connected to the IAM, there are multiple, associated “Applications”. On that level, into IAM environment, “target system” is a technology concept, whereas "Application” is a IAM business concept.

Note that in this context "Application" can be seen as a resources container (in this case AD groups).
Even AD groups set, used for users “Infrastructural” access, could be seen as an "Application". Following this point of view, we can group the “Infrastructural Resources” groups set (Internet, Mail OWA, VPN, FTP etc..) in a container (Application) and give it a name. (e.g. Infrastructure Resources).

This “Application” concept is very important in an IAM environment. Through “Applications” many administrative processes can be easily managed. Especially so are such processes where the “Target” concept does not fit because it is not expressive enough, and the “Resource” concept does not fit because it has too little granularity.
Some examples are:

• Application is a Business language while “Target” or “Resource” are technical languages.
• Dynamic management of IAM administrators “scope” on specific applications (an administrator can only approve requests referring to specific “Applications”).
• Policy writing is much more expressive and simple if referring to Applications instead of always identifying a set of resources.
• Event grouping under an Application is extremely expressive both from operational and auditing aspects.

Most IAM tools refer to technological concepts such as Targets or simple Resources thus resulting in a very low expressivity and administrative complications.
If you want to introduce the Application concept where it is not “out-of-the-box”, you must analyze the impact, define data model and implement all business intelligence associated with the concept.
Instead, with a tool natively supporting this data model, processes implementation related to this concept are direct and prompt.
Referring to the above Active Directory example: with IDEAS by Engiweb Security, once the Active Directory technological connector is created, the creation of an "Application”, its relative “Resources” association and connection to the reference “Target”, is really simple.

Only a few parameters need to be defined, such as:

• Target.
• Synchronisation Options (Automatic, Manual NoSync). It is interesting to note that native Applications management, based on “Sync. Options”, make the synchronisation chain work in a different way. In fact, in the case of Automatic Sync, if a user is assigned an Entitlement or a Role which includes a resource from this application (e.g. an AD group), the system generates an outbound event towards the connector which automatically associates the group with the user. On the contrary, Manual Sync generates an event which is retrieved from a file to run a Batch Synchronisation (everything out-of-box).
• Resources connected.

A new webcast on Role Management

If you are interested in Role Management and in particular in Engiweb Security’s approach to this business issue, you can tune in to a new webcast featuring Roberta Witty - Gartner Research VP, Richard Parisi - Engiweb Security International Customer Support and Alberto Ocello - Engiweb Security General Manager.

For registration to this webcast, click here.