1st Impressions – IBM and IAM Governance

The workshop was timed to coincide with the launch of the latest release of Tivoli Identity Manager (v5.1). IBM’s press release describes the new features in TIM v5.1, but I’ll summarise them here:

* Role management capabilities
The latest version of TIM allows the definition of (optionally nested) roles. Roles are not used to manage user access to resources, but rather provide a structure through which to do it more efficiently.
* Separation of duty capabilities
Separation of duty is a policy-driven feature to manage potential or existing role conflicts. A separation of duty policy is a logical container of separation rules that define mutually exclusive relationships among roles. Separation of duty policies are defined by one or more business rules that exclude users from membership in multiple roles that might present a business conflict.
* User recertification
TIM provides a process to periodically certify and validate a user’s access to IT resources, combines recertification of a user’s accounts, group memberships of accounts, and role memberships into a single activity.
* Group management capabilities
TIM now allows the creation of groups of users, to help with automation of identity management processes.
* Tivoli Common Reporting
TIM’s reporting capabilities have been migrated to IBM Tivoli Common Reporting. This component is based on the Eclipse Business Intelligence Reporting Tool and provides custom report authoring, report distribution, report scheduling capabilities, and the ability to run and manage reports from multiple IBM Tivoli products.
* New APIs

Additional APIs, workflow extensions and Javascript functions are provided to support the new functionality of this release.

The theme for the day was IAM Governance and in IBM’s view “Tivoli Identity Manager delivers important functionality for identity and access management governance”. The new features support governance, by enforcing compliance through product policies (as opposed to technical policies – see Earl Perkins’ blog for more details) and by allowing reconciliation between the policy-based view of user entitlements, stored in TIM’s directory and the reality, defined on the managed platforms and applications. While regulatory mandates don’t demand the use of roles (though corporate policy might) they do offer a simplified abstraction, through which access can be governed. At the risk of being pedantic, I’d call this compliance, rather than governance, but it’s all down to your own definition.

Uniquely among the major IAM vendors, IBM chose not to acquire a niche role management vendor to add this capability and instead developed the capability in-house, as an integral part of their identity management platform. This has the positive effect of avoiding the inevitable difficulties of bringing together two distinct (and often conflicting) technology platforms and development teams. Sun, Oracle and CA are all working through these issues currently, following their acquisitions of VAAU, Bridgestream and Eurekify respectively. On the negative side, it means that role management in TIM is a “work in progress”. However, I’m assured that IBM plan to release further functionality in this area, during the 2nd half of 2009.

What would I like to see added to the role management capability? I think that a function to help with the discovery and mining of roles from existing entitlement data would speed up the creation and deployment of an initial enterprise role structure. I have to declare an interest here. As a consultant, who specialises in the organisational change required for IAM programmes, I strongly favour the ability to run the role mining and discovery effort without the need to deploy the identity management infrastructure and connectors. Once an initial enterprise model is complete (and agreed) then it can be imported into the identity management system, where it should become subject to life cycle management, with TIM providing recertification and approval for changes to role definitions. This approach is elegantly illustrated by CA’s deployment architecture for Eurekify. So, if I had a vote, I’d say integrate role life cycle management into TIM and leave role mining as a stand-alone tool.

My final thought relates to Governance, Risk and Compliance. The objective must be to take result from computerised controls (such as TIM) and use those results to update an overall picture of the organisation’s risk exposure. This is the job of a GRC Management platform. In the final session of the South Bank workshop, IBM showed how TIM can be used in conjunction with Tivoli Compliance Insight Manager. This closed loop integration between security event management and identity and access management allows administrators to compare real user behaviour with desired behaviour, exactly as an auditor would. TCIM can provide a graphical representation of the information, along the lines of a heat map. IBM partner with niche vendors, such as Sailpoint and Aveksa, to deliver a complete IAM Governance solution. Personally, I’d love to see the TIM and TCIM products integrated with (for example) the excellent STREAM integrated risk and assurance management platform from Acuity.

More Here