‘IAM’ Category Archives

McKinsey research is always thought provoking, and when a recent article came across my desk, I read it with particular interest. It places proximity to customers and innovation ahead of labour costs as keys to the success of the “new” manufacturing. I wondered if there was a corollary to systems integration – what we do for our customers. I concluded an emphatic yes, but read on and see what you think…

Next-shoring: A CEO’s guide

According to McKinsey, “Proximity to demand and innovative supply ecosystems will trump labour costs as technology transforms operations in the years ahead.”

Here in the IT industry, software development and systems integration have borrowed many of their methods from manufacturing. Wipro in India based its project methodologies on just in time manufacturing, which had been perfected by Toyota in Japan. Post World War 2, Japanese manufacturing was improved by coaching on production and quality from American corporations like HP which pitched in to help Japan get back on its feet. Lean Software Development and Lean Integration, which we use at First Point Global, were both developed as a result of improved manufacturing processes.

So what is Next-shoring?

As McKinsey introduces it: “When offshoring entered the popular lexicon, in the 1990s, it became shorthand for efforts to arbitrage labour costs by using lower-wage workers in developing nations.” After discussing economic trends, including the importance of local demand factors, the limits of labour-cost arbitrage and the impact of disruptive technologies, the article goes on to suggest the following:

“Although these forces are still gathering strength, they’re already pointing toward two defining priorities for manufacturing strategy in the era of next-shoring: proximity to demand and proximity to innovation, particularly an innovative base of suppliers. In developed and emerging markets alike, both ingredients will be critical. Next-shoring isn’t about the shift of manufacturing from one place to another but about adapting to, and preparing for, the changing nature of manufacturing everywhere.”

And what does it mean for IT?

Think about this:

1 – Developing countries’ labour costs are on the rise;
2 – Even with modern communications, separation of teams comes at a cost.

How does this apply to systems integration projects such as implementing enterprise software like identity and access management? If manufacturing is a bellwether for what’s coming down the track in IT, is it possible that the process should take place:

3 – Where there is demand, close to the customer; and
4 – Close to where there is innovation and innovative companies?

If you add up 1+2+3+4, there is a very compelling case for cloning the next-shoring model into IT systems integration. Combined with efficient project delivery methods like lean integration, next-shoring is potentially a term for an approach we’ve been using, which we call LIAM or Lean Identity and Access Management – the topic of our last blog – the principles of which are:

1 – Focus on the customer and eliminate waste;
2 – Continuously improve;
3 – Empower the team;
4 – Optimise the whole;
5 – Plan for change;
6 – Automate processes; and
7 – Build quality in.

By observing the principles above, placing subject matter experts at the customer site (where the demand is), and acting as a hub back into innovative companies (a portfolio of best in class vendors), we are effectively practising next-shoring for systems integration.

And what is systems integration? Isn’t it just an assembly of parts into a system?

by Milan Calina, Chief Solutions Architect, First Point Global

While Agile Software Development is gaining popularity and many organisations are running at least some of their projects following some Agile methods and methodologies, when it comes to Identity & Access Management (IAM) we often see a fair bit of reluctance to approach implementation in any way other than the traditional waterfall methodology.

The reasoning we often hear from clients is: “We tried that ‘Agile thing’ and it did not work out. This is an important initiative, we want to train our staff, and we want every aspect of the system documented to enable ongoing support when your work is done.”

It’s true that IAM projects are often complex and cut across the organisation, and no one can deny that changing an organisation to start ‘doing Agile’ is not easy. But neither of these should be a reason not to be agile, not to think agile when implementing an IAM solution. It’s also important to recognise that an IAM project is an integration exercise, with very little development – less than 5% in most cases.

Doing Agile or being agile?

In simple terms, being agile is a mindset, a way of thinking and approaching work (in our case IAM implementations), whereas doing Agile is employing and following one of the Agile methods and methodologies. (There is a plethora of good articles, blogs, and books on the subject, by the way, which explain why the prerequisite for organisational agility is ‘being/thinking’ agile, not ‘doing’ Agile.)

What has this got to do with IAM implementations? Well, when it comes to major IAM implementations analysts generally advise customers to expect implementation to cost one to eight times the software cost. However, we have seen that with a combination of thinking/being agile and an understanding of what works and what doesn’t, we can implement IAM projects in much shorter timeframes, and for significantly lower costs.

Unfortunately there is no IAM-in-a-box, and one size IAM does not fit all, but experience from most of our customers – where we both ‘thought’ agile – has been that the IAM implementation spend for services/people was in a range of one half to twice the software cost. The ‘waterfall type’ projects, in comparison, are often loaded up with cumbersome processes, excessive documentation and ‘big consulting’ methodologies. Such projects typically cost 3-5 times more than our ‘lean and agile’ projects.

The scary thing is that many organisations still prefer to take the waterfall route. The ‘old school’ IT organisations still seem to be uncomfortable with not knowing, defining and agreeing everything up front. To a large extent, this seems to stem from the experience gained on large scale bespoke software development projects where even a minor change in requirements could result in significant rework – redesign, redevelopment and retesting.

On the other hand, IAM projects generally include deployment of one or more software packages. By the nature of this being COTS software, quite a lot of relevant functionality is built in and, depending on the IAM package, the implementation from a pure technology side becomes more about configuration of the package than custom development around or on top of the software. This fact – configuration not customisation – makes IAM implementations perfect candidates to be architected, designed and deployed in an iterative fashion using some ‘agile and lean’ methodology rather than a waterfall approach.

Key facets of First Point Global’s LIAM approach

When we looked at our ‘success story’ projects, we realised that the way we work and like to deliver projects was all about being agile and not necessarily doing Agile. Even before we knew of the term, we realised we were working in the spirit of what is now referred to as lean integration. Whilst we follow the spirit of The Agile Manifesto, lean integration principles are much better aligned with our work as a consultancy and a systems integrator. LIAM, or lean identity & access management is our adaptation of the lean integration methodology.

From Wikipedia, lean integration can be summarised by seven principles:

  • Focus on the customer and eliminate waste
  • Continuously improve
  • Empower the team
  • Optimise the whole
  • Plan for change
  • Automate processes
  • Build quality in

Whilst some of the terminology used in lean integration may appear a bit harsh, e.g. ‘eliminate waste’ – none of us intentionally produce waste – when you look deeper into the intent and practice behind those principles, they make more sense. For example, this is how we employ different lean integration principles to IAM implementations:

  • One of the time and effort wasters on IAM projects is ‘analysis paralysis’ – insisting on having every little thing analysed and documented up front. On the other hand our process ensures that the requirements are documented and well understood by all parties. Whether this is in the form of Use Cases, User Stories, or Test Scenarios and Test Cases (in the spirit of Test Driven Development) is secondary. After that we normally produce high-level design, which provides sufficient information for a competent technician to start configuration. The client then verifies the configuration against the requirements, and if needed we go through a few iterations of reconfiguring the IAM tool, and once signed off we produce a detailed specification of ‘as configured’ systems. This is also the right time to commence commissioning (or ‘productionisation’) of the system, including design and set-up of necessary operational support tools, processes and procedures. Of course, this is always adjusted so that ‘must have’ client requirements are met, e.g. infrastructure standards and norms.
  • Whenever feasible we opt for smaller teams of cross-skilled individuals. As an example, with all respect for testers (I used to be a tester and test manager in one of my previous lives), when it comes to verifying IAM solutions the business/system analysts who wrote the requirements and were involved in all requirements clarifications and revisions are the best people to test the system.
  • We try to standardise and automate different processes. This may be the initial installation or configuration of an IAM tool, or integration of systems and platforms. Nonetheless, the IAM solution needs to be looked at as part of a broader solution and the impact on affected parties and platforms needs to be taken into account. For example, when it comes to integrating with managed systems for account provisioning or identity analytics and governance, lots of customers like the idea of one interface method and approach. This is great in theory and on a whiteboard. But if the target applications and systems do not support such an interface, and a fair amount of time and effort is required to develop such interface then, if there is a functional alternative, it does not make sense to force such a rule. Similarly, forcing ‘standardisation’ of an application’s access control model and attributes often requires lots of effort in design, set-up and maintenance, and the result is a compromise. (One size does not fit all.)

Lowest cost, fastest time to value, best chance of success

We spend a lot of time advocating agile thinking and lean integration for IAM software implementation projects. Ultimately, when it comes to IAM implementation, the methodology used should come down to the software tools you employ and their capabilities, the expertise that the subject matter experts have in these tools, and the collective team’s ability to rapidly achieve the business requirements. That is what is going to give you the lowest cost, the fastest time to value, and the best chance of success.

The choice of implementation methodology shouldn’t just be about what your organisation is comfortable with. If so, you run the risk of spending a lot of time and money reinventing the wheel or, at the other extreme, an implementation process that fails to deliver, slows you down, and blows the budget. Surely, a career-limiting move for you and for me.

Wow, another year has passed, and I have to say that we’re all looking forward to a break over the Christmas period. Sincere thanks to our many loyal customers, and to our new customers who have partnered with us in their IAM endeavours. This year we expanded our patch with customers in Singapore, Perth and Auckland. In doing so, the company grew a tad over 80%.

What’s driving our growth? Four things: cloud, mobility, social media and compliance.

On July 1, we switched over to a cloud-based accounting system. It’s great. Anyone in the company can run reports, anywhere, any time, on any device. A huge step forward from what was: an office-bound process. Just this week I installed the iPad app for our new CRM and Customer Support Portal.  Yep, I installed it, and I needed no help from “IT”. And yet another bonus – the user experience on the iPad is much nicer than the browser interface. It’s no wonder that our customers are taking up cloud and SaaS in droves. I’m a believer.

It’s great to see that our vendor partners are rising to the occasion, as doing IAM in such a distributed and free environment imposes new challenges. This year our long standing partner, Layer 7 Technologies was acquired by CA Technologies, where its XML Gateway will become a pivotal component of CA’s cloud offering.

SailPoint continues to grow and exceed expectations. Three staff were added in Australia in 2013, and demand for IdentityIQ is soaring. Look out for the next Gartner Magic Quadrant – we knew the SailPoint team was made of the right stuff when we teamed up seven years ago. Also watch out for SailPoint’s IdentityNow. It’s fully cloud-based, does Identity Everything, and is coming to a data centre near you in 2014.

As with Layer 7 and SailPoint, a core part of our strategy is teaming up with innovative companies, who are solving important problems in the IAM space. Keep an eye on Venafi, SafeNet, Netbox Blue, Axiomatics, Centrify and ForgeRock in 2014. All of these companies have vision, innovation and technologies which will make the Internet of Things a reality, making things manageable while thwarting the efforts of the Edward Snowdens of this world.

If we learned anything in 2013 it was that you cannot assume trust any more. Politicians, CEOs and citizens have all become acutely aware of this, so now is a good time to reflect on the key trends that shaped IAM in 2013:

Cloud – We have our first customer whose very IT being is resident in the cloud. Applications, Databases, Security, Identity and Access Management: none of it is resident “on-prem” (as the hipsters like to say), it’s all running as hosted services somewhere in the cloud – onshore and offshore. An interesting point for an IAM guy like me is that IAM is the cornerstone of the system, because there is nothing physical to tether users or applications to – “identity” provides that binding. The organisation doesn’t have a rack or server to its name, and it doesn’t care about hardware, O/S or applications software upgrades. It’s identity centric, and it’s hosted and managed: true utility IT.

Agile – The cloud project described above explored many new frontiers. I don’t think any of the participants could have described the system from a set of requirements up front. Rather, we knew roughly where we needed to go. Refreshingly, the client understood from the outset that it needed flexibility – the process was more akin to exploring and discovering which solutions were appropriate rather than implementing things from a prescriptive list.

Social Sign-on – A few of our customers went live with registration and enrolment based on credentials from social media including LinkedIn, Facebook and Google+. This facilitated the provisioning of large numbers of user accounts without having to go anywhere near a provisioning system. If you think about large scale B2C, this was an enormous cost saving, and there’ll be much more of that to come. We now have several large institutions using Social Sign-on (aka Frictionless Sign-on) as a way of onboarding customers, and many more organisations are planning the same, including government agencies. Drop me an email if you have about 45 minutes to watch a webinar replay on the subject.

Open Source – We saw a larger than usual take-up of open source software this year. I think there’s been a realisation that the software is just as good as the commercial vendor offerings, especially when design and integration support are available locally. ForgeRock, for example, has been very successful with its OpenAM offering, which was based on the original Sun OpenSSO.

Executive Involvement – Regulation, Risk and Agility have driven a shift in C-level executives’ interest in IAM. This year we’ve been on projects where the IAM Steering Committee has read like a Who’s Who of the business, including the CEO, CIO, COO, CFO and CRO (Chief Risk Officer). Given the cost, effort and broad company engagement required to meet corporate governance, compliance and risk standards, the involvement of CXOs will continue to increase. This kind of special executive attention has caused all of us to be sharply focused on business requirements and outcomes. It’s great to see even the engineers now having conversations about risk and outcomes.

IDaaS – We saw a range of start-ups offering Identity and Access Management as a Service this year. Most of these targeted the SaaS market – good for organisations consuming SaaS only but limited appeal to organisations with many legacy applications. We believe that 2014 will see the release of a range of IDaaS offerings that will challenge the traditional on-premise solutions. They will be packaged and ready to go with Identity and Access Governance, Provisioning, Federation, and SSO.

Agile IDaaS – We firmly believe that agility will drive IDaaS success in 2014 and that IDaaS will be offered by a range of vendors, from software companies, to service providers, to systems integrators, or combinations of the above. The ability to respond to individual customer’s requirements and ensure rapid time to value will be the key success criteria. IDaaS will not succeed – or at least will not deliver the promised benefits – using a traditional (clunky) procurement, design and delivery model. Companies like First Point Global will play a role with the on-prem integration, while teaming with other service providers who will operate and run the hosted environments. It seems like this will be the model of the future!

Forgive me if I’ve strayed from a straight round-up of 2013 and mandatory crystal ball gaze for 2014. I had to share my cloud epiphany with you, and I apologise to anyone I may have offended with cloud jokes in the past. I’m a fully clouded up, metro, social media guy now. It’s been a great business year, there’s been massive change, and 2014 looks like even more change. I hope you all manage to get a break over the holiday period. Take care, Merry Christmas, Happy Hanukah and Gong Xi Fa Cai.

Even to someone like me, who has worked in Identity and Access Management for over 13 years, it’s pretty amazing how the consumerisation of technology has elevated the importance of what we do from enabling systems which support the business to driving the business itself.

Take the rapidly emerging area of API Management. Once upon a time Application Programming Interfaces were something only software developers cared about. Now APIs are so common it looks weird to even spell it out. With the explosion of Web and mobile apps running on all kinds of devices, APIs are fast becoming the preferred way for enterprises to do business with digital consumers.

As our partner Layer 7 Technologies says: “Increasingly, enterprises are looking for ways to publish APIs to external developers, in order to expand channels to market, create new revenue opportunities, and grow customer loyalty. By exposing data and application functionality to external apps on iPads, iPhones, consoles, and affiliate Web sites, an organisation can remake its business into an extensible platform.”

Leading global companies like PayPal, Visa, MasterCard and TomTom have already done just that, leaving the rest of us to playing catch up. Whether or not it’s obvious in your sector yet, an organisation’s ability to meet consumer demands to access information whenever and wherever they need it has become a major source of competitive advantage. Without an API Management strategy, meeting or driving these consumer demands to stay competitive or get ahead of the game will become prohibitively difficult and costly.

Done properly, API Management is a way to make money and save money – to achieve a size and capability beyond your current capacity. APIs open organisations up to a broader developer community, increasing innovation and agility, reducing the cost of development and making it easier to support new devices, issues that many are struggling with. At the same time, an API Management solution allows organisations to retain control over information assets by implementing solid security and risk management techniques.

As companies and governments increasingly move from dealing with their clients, customers and citizens in person or over the telephone to online and via a range of smart digital devices, Identity and Access Management becomes absolutely critical. With API Management, there are three aspects to this – the APIs themselves, developers who consume the APIs, and the consumers who use the apps. Achieving the right balance between openness and control for each of these groups is important if your strategy is going to be successful.

As an example, an API Management solution needs to make it easy to consume your services while still protecting consumers’ privacy and security. With OAuth and OpenID support you can bring your own identity – provide a social sign-on using Facebook, Google, Twitter etc. – so consumers are only inconvenienced when it is valuable for them to be so. A consumer may be able to log into a Pay TV service to access an Electronic Program Guide via Facebook, for example, but not be able to access their Pay TV subscription until they link their Facebook and Pay TV accounts – a process known in the trade as stepped intimacy.

In fact, the capacity to interact with consumers via social sign-on provides a whole new way for organisations to leverage the value of their information assets. It’s another good example of how the consumerisation of technology has elevated the importance of Identity and Access Management from enabling the business to driving the business.

Which probably makes it a good time to stop. Until next time!

It’s less than a year since I posted a blog about how 2013 will see progress towards a “new IAM” empowering enterprises to meet users’ demands to access information from anywhere, anytime, from any device, and for any purpose. The acceptance of that vision has been surprisingly rapid. Google “Gartner Identity and Access Management definition”, or click here, to see what I mean.

In meeting users’ demands, rather than driving them – focussing on control by achieving compliance, reducing the cost of compliance and improving business agility – even the new IAM I was talking about was playing catch-up to the rapid advances brought about by the consumerisation of IT.

What has surprised us this year is how many enterprises want to get ahead of the game to actively drive the consumerisation of IT. We’re seeing interest in API Management solutions, for example, which open up secure access to information to business partners and developers and, via them, consumers and devices.

Organisations aren’t just thinking about compliance and reducing their identity management costs to become more agile in supporting new business initiatives – although that is still of primary importance. They are also seeing identity management as an enabler of new partnerships, improved customer experience and new value-added services which give them competitive advantage.

Achieving these sorts of objectives isn’t just another IT project. It touches almost all parts of an organisation’s operations and requires business smarts as well as technology expertise. There are all kinds of risks and pitfalls, and few organisations can navigate through them without expert guidance.

Because it’s unfamiliar territory, many identity management projects get overloaded with cumbersome processes, excessive documentation and big consulting methodologies. Unfortunately, that just reduces the chances of success when achieving fast time to value is critical, particularly since business agility or enablement are often the objectives. In our experience, an agile development approach – using open systems technology components that deliver a high percentage of the required functionality – is far more successful.

We stand by our claim that when it comes to identity management, we achieve time to value faster than anyone else. With agile development methods and an understanding of what works and what doesn’t, we can implement projects rapidly and reduce the ratio between the cost of software and the cost of implementation.

Analysts in this area generally advise customers to expect a ratio of between one to eight times the software cost. Yet our customers typically spend only between one half to twice the software cost, so a customer might be looking at a couple of million dollars spend instead of ten million in some cases.

That is a massive cost and time saving, which is a competitive advantage in itself.

How to secure the enterprise with Least Privilege

by Centrify Asia-Pacific Regional Director Matt Ramsay

It’s time we took a fresh look at the core problems bedevilling our enterprise security.

Do we only need to guard against the bad guys trying to hack our infrastructure? Or do we need to defend ourselves from the bad habits of the good guys who manage that infrastructure?

The bad guys are a given: Their hack attempts are driven by every motivation from greed to ego. But the bad habits of the good guys – your beloved systems administrators – are another matter.

One example arises from the difficulty that many Windows administrators face: to allocate and maintain finely grained user privileges with standard tools such as Group Policies. As a result, admins get into the bad habit of only deploying coarse-grained privileges in practice.

This creates the situation where sites are either overly permissive, and thus insecure, or so restrictive that users are annoyed by the need to petition IT to make even a tiny change.

The same problem exists in Unix-like environments. Privilege entitlements managed via “sudoers” (Unix programs with the security privileges of another user) require expensive resources to maintain a syntax error-prone, text-based system that has no decent enterprise level administrative interfaces.

The result is that Unix administrators employ the same bad habit of coarse-grained privilege allocation due to the intractability of having machine-specific sudoers (akin to machine-specific GPO’s).

In addition, Unix sites frequently resort to the insecure practice of shared accounts to deal with the lack of sophistication of enterprise-grade Unix privilege management.

Bad guys need to find only one flaw. A permissive setup gives them a huge opportunity for phishing (the currently most favoured attack) for accounts that have Domain Admin or similar rights.

Although a permissive setup means your users are by and large happy, any “unhappy” user now likely has Domain Admin rights – thus creating another problem.

These problems are compounded when an over-privileged user leaves your organisation and the overworked IT department has no idea what to turn off – they may not even know that a risk exists.

On the other hand, the restrictive access scenario is onerous and expensive for administrators – who are forced to deal with many petty requests – and annoying for the user.

There’s also a real chance that it will encourage users to find alternate ways of getting things done – that is, circumventing security or finding a grey area such as a SaaS portal to sidestep IT altogether.

The compromise between restrictive and permissive access is called “Least Privilege” – created by easy-to-use tools that can quickly configure and maintain fine-grained security policies.

Security tools need to work more like plumbing than rocket science – they should be affordable and predictable with modest training requirements.

At the moment, expecting a well maintained Least Privilege outcome from the goulash of Group Policies, sudoers files and resulting policy outputs is as silly as suggesting that programming in Assembly will deliver high quality ERP software “if you just try hard enough!”

Admins need the tools to visualise what has occurred and when so they can easily answer questions like: “why does John have backup rights on those machines?” and “How did that come about?”

Rather than rely on guru-like admins or super-awareness, we need tools that can grant and manage fine-grained rights that are as simple to use as making computers and users members of appropriate groups.

I’d like to thank Earl Perkins of Gartner, and James Turner of IBRS for recognising First Point Global in recent research assignments. Earl has compiled a global list of leading C&SI (Consulting and Systems Integration) players in the Identity and Access Management sector, and references First Point Global for Australia. James was conducting some market research for a Government Agency which in turn was seeking very deep IAM skills. And I’m delighted to say that James’ analysis also led him to First Point Global.

Analyst recognition is a very useful thing for companies like First Point Global. As specialist practitioners, we are very well known in our IAM community, but clients who’ve not done IAM may never have heard of us. And, as a small company, we lack the big marketing budgets of larger players for major self-promotion. These kinds of reports and activities give clients the confidence and desire to engage subject matter experts like ourselves.  It’s often the case that customers will start their research journey by looking at products, when a best practice approach is to start with business requirements and architectures; then look for products that are a best fit.

And just a little plug for our analyst colleagues:

Gartner report IAM Consulting and System Integration, ID: G00234196, Date 19 April 2012, and look here for information about IBRS.

Stay Connected

About First Point Global

From the innovative identity and access management solutions we propose, to the technology companies we partner with, to the way we design and deliver projects, everything we do at First Point Global is aimed at creating sustainable business value for our clients.