Recently Blog Entries
- Why Your Kanban Workflow Should Be More Than “In Progress”
- Two Questions to Help You Understand if You’re Doing Kanban
- Spike Abuse
- My Latest Article on Agile and Security
- Essentials of the Scaled Agile Framework
- A Possible Solution to the Issue of Test Data
- Project Sauron: A Long-lived, Stealthy and Likely State-sponsored Malware
- CCTV cameras used in massive botnet
- Sprint Planning: The Case for Finishing What You Start
- Scrum Retrospectives: Start, Stop… Continue? One of these things is not like the others…
Subscribe
RSS
Categories
Polls
Loading ...
Archives
- May 2017
- April 2017
- September 2016
- August 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- October 2015
- September 2015
- July 2014
- January 2014
- March 2013
- February 2013
- January 2013
- December 2012
- July 2012
- May 2012
- April 2012
- January 2012
- November 2011
- October 2011
- September 2011
- August 2011
- April 2011
- October 2010
- August 2010
- July 2010
- June 2010
- May 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- December 2008
- November 2008
- September 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
Admin
Search
Feb
11
Centralized Identity Management is a Good Thing
Posted by Keith McMillan
February 11, 2008 | 3 Comments
Dark Reading has an article up talking about the expected industry upswing in adoption of identity management solutions. The article points out that Sarbanes-Oxley, and other regulatory concerns, are driving this adoption. Centralized identity management is where one directory of users and their roles is created, and centrally managed. Applications make use of the central directory to get this information, rather than having users created individually within each system. This isn’t a new concept: tools like OpenLDAP, Microsoft Active Directory and IBM Tivoli Identity Manager have been around for a while now, but it hasn’t really got a lot of traction.
I wrote before about security as a chore, and discussed that there’s a historical tendency of some organizations to view security as an annoyance, and “somebody else’s problem”, because I’ve got enough to do with the work that I’ve got to get done.
This is despite the fact that centralized identity management for enterprises makes a lot of sense. It allows security to be managed by people who’s job it is to manage security. This stands a much better chance of being successful than taking someone who’s primary job is something else, and adding security in as well. As experience has shown, in an environment like the latter, your permissions tend to grow over time, as you move from job to job, department to department, because they’re never removed.
So why hasn’t centralized management gained more ground? There are a couple of reasons why, I think. The first is (or at least can be argued as) a valid business decision. When you’re given a choice between adding some new feature to your software that will give you a competitive edge, to do away with some annoyance that you’ve been fighting for what seems like forever, and integrating to a centralized identity management solution, what are you going to choose? Unless there’s a good business driver behind the identity management integration, it’s going to lose.
The second reason is a bit harder to justify: it’s the natural tendency for people to want to have control of their environments. If I have an application that my department uses, I may not look favorably on my user’s permissions for my application being in some system that I don’t control: “It gets in the way of doing my job most efficiently,” I may say, but to be honest, I just don’t like someone else being in control of that part of my world. This is a short-sighted view, and smacks of needless competitiveness, but within many business environments, this is a common one. Managers typically don’t get to be managers without some degree of competitive drive.
I think it’s a good thing that regulatory pressures are adding weight to the centralized management side of the scale. On the whole, I think that it’s a more manageable and thus more secure solution. You’ve given the management of security information to a group who’s main job it is to manage such information. This beats letting it continue to be handled by groups who’s primary responsibilities are tasks other than security. These organizations have a goal of doing work most efficiently, a goal that is in fact hampered by security, because it’s most efficient to give someone all the permissions, and to never to back to manage them, after all.
Comments
3 Comments »
Blogroll
- Ars Technica
- Dark Reading - IT Security
- Help Net Security
- InformIT
- SANS Internet Storm Center
- Schneier on Security - Dr. Bruce Schieier’s blog
- Security Info Watch
- What to Fix - Daniel Markham, fellow consultant
- Wired Gadget Lab
- Wordpress Documentation
- WordPress Planet
- Wordpress Support Forum
I found your site on google blog search and read a few of your other posts. Keep up the good work. Just added your RSS feed to my feed reader. Look forward to reading more from you.
– Sue.
Thanks Sue, I’m glad you found the post interesting.
I think that at least common identity repositories, like ADS/OpenLDAP are gaining a lot of foothold, especially since Samba/Winbind makes it so darned easy to integrate all of your machines, be it linux (really, PAM-speaking) or Windows. I see this as a win for “You mean I only ever need to remember one password?” over anything else. Once organizations start to believe in passwords, managing that complexity quickly becomes a horrible nightmare otherwise. Or so I’ve seen…