Skip to main content

What's In a Name?

IT access and governance projects in recent years have tended to be technical in their nature.  This is not a particularly surprising, or indeed negative comment.  Many access related initiatives have been driven around provisioning (automating the C(reate) R(ead) U(pdate) D(elete) process for joiners and leavers) or focussing on S(ingle) S(ign) O(n) initiatives to help reduce password mis-management.

The procurement of such solutions normally involves a product component and the obligatory services component.  The product selection has generally been done using scoring matrices, technical comparisons, bench marking and functionality matching.  The services part is generally done on an agreed set of deliverables, man days, costings and project frameworks.  All fine and dandy.  In a technical land, a spade is a spade as the saying goes.  Can your product talk over LDAP?  Does it have an SPML API?  Can I connect to a database using JDBC?  Can it be load balanced?  Are passwords encrypted using a hash?  Etc etc.  All very black and white questions and answers once you overcome the sales patter!



However as the hype cycle increases (or dies down depending on your view point) an increasing number of solutions now require more focus on the business drivers and components of access governance.  Here we refer to items such as G(overnance), R(isk) and C(ompliance), Identity Compliance, Audit Controls and so on.  The business part of an organisation (any non-IT silo which actually makes money for the shareholders instead of spending it) is now driving the access governance initiatives.  They have the budget and the accountability to design projects that require a mixture of new technology and services to allow either compliance, process adoption or improved accountability for things like access control, access requests or access sign off.

With this comes several new consultancy and delivery challenges.  Not only the technology but also for a basic issue like naming standards!  Business personnel take a different view on technology.  Technical terms are used in a different context.  They mean different things.  Take a role as an example.  In standard I(dentity) & A(ccess) Management speak, this would be a grouping of entitlements.  But what about Business Roles?  Applications roles?  Enterprise Roles?   HR Roles?  Auxiliary Roles?  Exception Roles..... and on and on.  Each could arguably have a distinct definition of their own, but equally could be used interchangeably by both the business and IT departments.  What about attestation?  Is that different to certification?  And is certification different to workflow approval?  It must be it's the same people involved right?  Possibly not!  

Auditors, business managers and IT implementers will use the different terms interchangeably whilst referring to different objectives using the same terms.  Confused?!


A major component of any governance project is obviously the tools and services chosen, but time must also be spent on the basics, such as consistent naming.  This will allow better monitoring, transparency and ultimately better delivery of governance related objectives.


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…