from rIghT field

What are you Waiting for, it’s Time to Get an iPad, or...um...a tablet...

2012-01-16T14:37:00.009-06:00

Hopefully, you haven’t been waiting around, you already have an iPad and you also understand why everyone else should have one, but there are some who were scared away by the naysayers calling it an overgrown iPod Touch, that they couldn’t work on it, that it wasn’t a real computer, or that it’s just a gimmick, so they haven’t come back yet. They’re missing out!

*Disclaimer – I use iPad like I use the word Kleenex, meaning I don’t say, “Can you hand me a Puffs or tissue?” So go ahead and substitute the word tablet for iPad if you like.

**Disclaimer 2 – I’ve been using an iPad for over a year, I’m on my second iPhone, and I’ve had iPods since the early 2000’s. It’s safe to say that I’ve got a mild case of Apple Fanboy, and therefore highly recommend an iPad over other tablets. More specifically, I would wait until the next iPad is released...maybe March, and get that.

The iPad is definitely not a gimmick. It has been around for almost 2 years, shows no sign of slowing down, and everyone else out there is trying to get into the market. Looking at the graph below shows how the iPad might even be a possible cause for decreasing computing market shares among the PC companies.

Before I had an iPad, I had a netbook. After the initial new gadget coolness wore off, so did the frequency with which I turned it on. The netbook became exactly what it is, a smaller, worse performing laptop. Sure, it was more portable and easier to maneuver on the train, but it had the same software and operating system as my laptop and I almost always wished that I just had my laptop, instead. I know that the iPad isn’t going to replace my laptop, well, not yet, anyway, so I use it to complement my laptop and I’ll reach for either for different things. Accept that fact, that the iPad is not a laptop replacement, and you’ll be very happy with it. To overly simplify, I reach for my laptop for work or when I’ll be doing a lot of typing, and I grab my iPad for just about everything else. I use my iPad multiple times a day, still.

I’m also always looking for ways to incorporate the iPad into my work more often, which I expect to be easier to do in the coming months and years as more and more businesses continue or start to enable their workforces to go mobile and to better use these tools at work. Gartner’s Top Predictions for 2012 and Beyond specifically predicts two items that would make working with an iPad a reality, and a good one at that:

1) By 2016, at least 50 percent of enterprise email users will rely primarily on a browser, tablet or mobile client instead of a desktop client
2) By 2015, mobile application development projects targeting smartphones and tablets will outnumber native PC projects by a ratio of 4-to-1

If you’re on the fence about whether to splurge on a new iPad, or have never been convinced that owning one will help you out at all, think about how far it has come in just under two years and how much further it could go in the next 2!

UPDATE: Just saw these and thought they add more fuel to the fire: Apple to sell at least 48 million iPads this year - analyst and Apple's iOS, BlackBerry tops among Business Users

Have a Question? Make a Statement! - A Project Management (General Life, too!) Tip

2011-07-29T13:13:00.004-05:00

If you have ever worked on a project, or just worked at all, there’s no doubt that at some point you’ve asked a question and haven’t received an answer. You’re stuck waiting for a decision to be made so you know how to proceed. This can be a real issue when managing a project and various teams, or people, get blocked from moving forward by not having an answer or key decision made. Is your project on schedule? We’ll see...

So what do you do when you asked the question or requested an approval and you still don’t have the answer or approval? If you’re like most people, you probably ask again, right? OK, but now what do you do if you still don’t get a response to your email, voicemail, or conversation? Maybe resend with “ACTION NEEDED” in the subject or you put a disclaimer in the message along the lines of, “if I don’t hear back from you by some date/time, I’ll assume that you are fine with this proposal/change/decision/etc.”?

Even if you have the key stakeholder/s in a meeting and ask the question, often times the answer isn’t an answer at all, it’s a delay or a response that says we need to talk about it some more at a later time or with some different people. Then you leave the meeting and you’re still stuck. What do you do then? You repeat the above steps in the second paragraph!

Well, at that point, you just can’t wait anymore! You need an answer, so I have a better idea. Unfortunately, it involves having to get another meeting with the necessary decision makers, but if they’ve been dancing around your questions or reluctant to make decisions, it just has to be done. When you have that meeting, try this little trick and turn your questions into statements:

• “Do you want to have donuts at the Friday team meeting and is it in the budget?” becomes “We’re serving donuts at the Friday breakfast meeting.”
• "Do you like the navigation menu on the left or on the top?" No, now it’s, “The navigation menu is on top.”
• “What’s your favorite color?” changes into “The best color in the world is orange.”

Obviously, I’ve cartooned the examples, but what it does is provoke a reaction. It’s very difficult for a person to sit there, especially a senior manager or key decision maker, and not voice their disagreement with a statement you make at that point. “We’re going to push back the release date 4 weeks so that we can work on so and so.” If the project sponsor isn’t ok with that statement, they’re going to say so right then.

This little tip works well at home, too. Instead of saying, “Hey Jean, want to go to the Sox game on 8/18?” and getting an answer like, “Yeah, maybe” or “We’ll see”, I’ll say, “Jean, I’m buying tickets for us to the Sox game on 8/18.” Without fail, I’ll know whether or not I’m going to the Sox game right then!

RBAC – Quick Thoughts from some Time in the Trenches

2011-01-17T15:08:00.002-06:00

I’ve been working on a Role Based Access Control implementation at a large global bank for the past couple of years. In that time, I’ve experienced, first hand, the motivations for moving to a RBAC system, the pain involved, and have seen the benefits that are provided.

The biggest reasons for implementing RBAC were to improve access certifications/reviews and to reduce the amount of time that employees spent on those reviews and in requesting specific systems and applications access. The thought being that if we could “simplify” user access into predefined functional roles around the access needed to perform a particular job, we could then simplify the request for all that access from many requests down to one request. In addition, a person certifying access wouldn’t necessarily need to know what every access entitlement needed to perform the job was, they would just need to know that the role correlated with the job and certify that the user is in the correct role. The responsibility for ensuring that the proper access was contained within the role was given to the new concept of role owners.

On the surface, the reasons for wanting RBAC seem pretty logical and straight forward. Let’s reduce time “wasted” outside of performing our real jobs. Let’s make it easier for the managers tasked with certifying their employees’ access. Nobody is going to argue that those are bad ideas. Go ahead and implement RBAC! However, nothing worthwhile comes easy…or so I’ve been told.

The difficulty in implementation, to get those benefits, came in a few ways, none of which were insurmountable, but I just think they’re worth pointing out. You know, full disclosure and all. So, first, in order to simplify thousands of entitlements, we needed to catalog them and understand them. To do that, we had to talk with people (some more cooperative than others) across many teams and business units to get that information. Once we had all of that entitlement information collected and aggregated in our role management software, we needed to build efficient, purposeful roles that applied to each of the specific job functions throughout the organization. That required collaboration with most managers to identify groups of people performing similar jobs, where they would more or less need the same access to perform their day to day jobs. The hardest thing about this step was the time involved and getting the cooperation from the many business users needed to manage the roles. We required some back and forth communication, had to run reports on the many groups of people to identify all of their current access, and then had to build the foundation of the role that would apply to that group. At that point, it was up to the role owner to whittle the role down from the group’s total collection of access to what was determined to be required to perform the job. Finally, we had the makings of a role that we could build within the role management tool and assign to users.

What does any of this mean? Ultimately, I think that using RBAC is still a very good idea, it really does simplify things once all the constructs are in place. Future enhancements involve having HR systems changes automatically trigger role assignments and removals for employees, eliminating any time spent by employees requesting access. Just don’t be taken by surprise when you realize how many layers you have to peel back to get things built right, and how much time that takes. I’ve thought about it a lot and as far as I can see it, the only way to speed things up would have been to do it worse or add more people to the team. Neither of those were options we were willing to, or could, take!

Quick Social Media Marketing for your Business

2010-11-18T14:24:00.001-06:00

Even if you’ve been living under an isolated rock in Siberia, you’re probably familiar with Facebook and Twitter. Besides seeing pictures of friends and family, finding out that Joe just had dinner, and that Mary is going to see a movie, did you ever think about the broad reach and marketing potential of these social media sites? Have you thought about how you could use that power to promote yourself and your business, make new contacts, and create new business relationships?

Building a professional online presence is essential in today’s business world. It gives prospective clients, employers, employees, etc. a controlled view of you and your business. It also provides valuable credibility. How do you view a business without a website, or just a lousy, annoying one? Additionally, your professional presence shouldn’t be limited to just LinkedIn, you need to show up on Facebook, Twitter, and it wouldn’t hurt to blog, either. Why? Because that’s where 500 million users are spending their time, and that’s how you can generate new leads and new business from sources you never could have reached as easily, before.

I’m not going to suggest what content you should be creating and promoting because that will vary wildly depending on your line of business and the size of your company, but keeping your content updated and fresh is very important. The more links and updates that you have going to your website, the better it looks to Google and other search engines. That’s search engine optimization. Why does that matter? Because if your website ends up on the first page of search results, then you’re more likely to get a call from an interested, potential customer.

This may sound like a big headache to coordinate the content and updates to multiple sites, then aggregate all of those updates back for inclusion onto your business website. However, the beauty of it is that with a little bit of coding on your website, and the use of a free cloud based mashup utility like Yahoo Pipes to configure your content feeds, the whole process can be automated and hands free. Write a new blog, boom, it’s not only on blogger, or another free blog site, but it’s also on your company site automatically. Relevant posting to Facebook or Twitter, tag it and it can also be automatically fed to your website.

Once you get your social media marketing framework setup, all that’s left to do is to get your employees and co-workers actively engaged in creating some content. Schedule that production and you’ll have a constant stream of fresh ideas and updates hitting your website, then it will come back on the first page of a search in no time!

Don't Put a Dumb App on a Smartphone

2010-09-14T15:08:00.003-05:00

Smartphones, iPhones, Droids, Blackberries, apps, and app stores... They’re all the rage right now and everyone is jumping onboard. That’s great news for new product development, but only if it’s done with the right mindset and not just for the sake of having something for mobile.

First and foremost, a mobile app has to be useful, fast, and easy. Additionally, even more so than standard software, it needs to be especially observant to the situation in which it is most likely to be used, as well. What value can the mobile app add to that particular situation?

Generally, a user opens a mobile app when they don’t have access to a computer, or the laptop is powered off in their backpack as they’re walking through the city, riding the train, etc. They want to find out where something is, make a reservation for the restaurant they just decided to go to across town, pay a bill they just remembered is due and forgot to take care of before they left, record a show at home on their DVR a friend just suggested, find out what time a place is open until, and so on. You get the idea. These are all things that are very relevant now, or in the immediate future, to the user.

In most cases, a mobile app has to be more than a one trick pony. Remember, the user has to have had a reason to already have the app installed. If they just want to know what time the restaurant is open until, they aren’t going to have, or want, a mobile app for that restaurant. The user will just go to their mobile web browser and find out, or better yet, go to an app like Urbanspoon or Yelp!. However, if the mobile app for that restaurant also allows mobile ordering ahead, reservations, menus, nearest location, and so forth, it might be worth having the app installed, i.e the Chipotle app...if you like burritos.

A mobile app needs to be quick, easy, and intuitive. Mostly, because I might be using it when I’m at a red light, probably shouldn’t be using it then, but let’s be real, it happens. Now is the time for fantasy football and I was stuck having to run an errand when I realized that one of my drafts was about to start. Luckily, ESPN had built a mobile draft app into their mobile website, even one without Flash for us iPhone folks. Granted, it didn’t provide all the info the regular draft center did, but it was quick and intuitive to use. I didn’t miss a pick, and was still able to mess up my draft perfectly!

How do you know what might be the most useful or of greatest interest to your users? If you already have a website up, monitor traffic to the various features and functions to see which are the most popular? Think about those functions from a mobile perspective, somewhat described earlier, to see if they make sense that way. If so, start to formulate a mobile app based around those features.

Get into the mobile, on the go, mindset when creating your next mobile app and you’ll add more value to your user’s situation right there, right then, on their smartphone!

The Mobile Apps You Should be Creating Now

2010-07-30T14:48:00.003-05:00

Run a couple of quick Google searches and you’ll see that the incredibly fast pace of mobile app development now provides us with over 200,000 apps in the iTunes store and over 100,000 Android Apps. That’s a lot of apps to sort through, learn about, and to decide whether or not you want to buy, or invest any of your time in. Is there an app for that??? How are you going to create a mobile app that provides value to your user? How are you going to build a mobile app that can generate positive buzz in the blogosphere?

Here are some thoughts about the two most important things to keep in mind when you’re dreaming up your next app, and hopefully, these ideas will help you on your way to answering the questions above.

The Device:

It seems so obvious, but you need to remember the hardware that your app will be running on and realize the things it can and can’t do. There are a ton of apps out there that try to mimic desktop applications, which I think is the wrong approach most of the time. Do you really want to run Excel on your phone? You should be looking at ways to take advantage of all the things a mobile device can do differently than your traditional computer and incorporate those into your app.

How can you use the camera/s or video camera? The new Chase iPhone banking app that lets you take a picture of a check that you want to deposit, transmits that photo to Chase, and then the check is deposited into your account is awesome. That’s the type of innovation and usefulness that separates mobile apps. More importantly, that’s the type of mobile app that seriously has me thinking that I’ll leave Citibank for Chase... On a side note, this is why your business needs to pay attention to mobile product offerings, because the rest of the banks out there better get to work on similar functionality fast! What could be done with the GPS or the compass? How about the accelerometers? Does the device have a radio tuner?

One of my favorite mobile apps is iHandy Level which uses the accelerometers, once calibrated, to act as a level. It might not be the best level, but I know where to find it whenever I’m hanging a picture!

The Audience:

This can be thought of in two ways. First, you should have a target audience, be it a certain demographic, or users of specific types of products/services, etc. That’s just a sound idea in any product development cycle. However, the other way to view your audience is as fleeting, in that they’re generally not going to be using your app for long periods of time on a mobile device. You need to stay focused on providing information, usefulness, or entertainment in quick chunks. Mobile apps are the Sportscenter soundbytes of applications, booyah! Keep it quick, keep it simple, and keep it fun and/or useful. Remember to plan out app entry and exits, as they could be abrupt when the user gets a phone call, for instance. If they were in the middle of something with your app, ideally it brings them back to the same place when they’re done with the call, or if it’s a sensitive/secure app, financial for example, it needs to log the user out if it can recognize the call has ended and the user hasn’t resumed their spot in your app.

Mobile apps are an exciting opportunity to reach people in different and more creative ways. Avoid thinking about them as any other software development project and you might have the next hit featured in an iPhone television ad!

RBAC – Bringing it to the People; Some Thoughts on Creating their Roles

2010-06-03T20:01:00.007-05:00

Obviously, Role Based Access Control is all about the roles that people will be assigned to for their system and application access, but there’s so much more involved in a successful RBAC implementation. Often times it seems like we start to lose sight of the main ingredient!

You’ve got a role management system purchased or custom developed. The application environments are up and available. The software is loaded and operational. You’re receiving access data feeds from all of the system and application teams within your enterprise, or you have built automated connectors to source systems to retrieve that data on your own (ideal situation). The role management solution is synched up with the HR system for all of your identity information. Provisioning data for every access entitlement is stored and accessible by your provisioning engine. It’s time to fuel up with the main reason for all of this effort and create the roles that people are going to be referencing and using in the business, so that they have the appropriate access they need to do their jobs.

Roles, Roles, Roles...

As much as I’d like to say there is one perfect way to create the functional, or business, roles that the users will be assigned to, I can’t. What I’ve learned is that you have to inspect and adapt (subtle Agile reference…) to the business you’re working with to include as many people in the most efficient roles as possible. Some organizations are already going to have HR roles assigned to people that may or may not translate accordingly into the type of functional roles we want to base access around. Furthermore, employees might be in specific departments or divisions which would seem like good candidates to build roles around, but again, it’s not always meant to be when it comes to access. What am I getting at? Those roles were created for reasons other than giving people the access they need to do their jobs, so you have to approach the creation of functional roles for RBAC as a unique, focused activity.

Top Down Approach - The Overhaul:

If your company is like most, you won’t be able to hitch your functional roles to pre-existing corporate roles; you’ll need to create them on your own. The job title can be a good place to start, however, access for people with the same job title can vary wildly from department to department, be mindful of that. Some businesses will take a top down approach and decide that there are really x number of job roles being performed, so we’re going to categorize the people and their access into those roles. This is what I’ll call the overhaul method. The pros with this tactic are that it’s faster and easier to implement since you’ll get your role definitions from one person or committee. Another positive is that most likely the number of roles created will be less than with other approaches, so role management will be simplified. The cons with this are that the roles are going to be more generalized for a larger population, meaning that more people are more likely to have more access than they require. Without paying special attention to that, you could be increasing risk instead of decreasing it!

Bottom Up Approach:

Other organizations won’t be able to even begin thinking about doing it that way because their job roles are so differentiated. They will need to follow more of a bottom up approach, where you’ll pick small groups of individuals who are designated as requiring similar access for their jobs and then analyze the access those people already have to form roles. This step will need to be repeated many times as you work your way through the organization. The plus side of this approach is that the roles you create will be specifically tailored to the people assigned to them. The negative side of this approach is that it’s more time consuming and requires many points of contact as you move through the business. You’re also likely to create separate roles for different subsets of employees that have very similar access. However, you won’t know it until you get into role management lifecycles and role comparisons where you’ll want to try and combine those roles if possible.

To sum it up quickly, there isn’t a silver bullet approach that will magically create your perfect roles fast and easy, you’ll need to explore the business functions within your organization to determine what type of approach is needed, top down or bottom up within your functional roles. The good news is that there’s always plenty of time to polish the roles over time and with user feedback!

The Most Important Thing about implementing Scrum…

2010-05-10T20:11:00.001-05:00

One of my favorite things about Agile and the Scrum framework is that you are encouraged to, and should, constantly inspect and adapt to improve things about the project. So, take a look at all the things done in the previous sprint and how they were done to see if there is some way that the task could be more efficiently completed, or if there’s just a better way for the team of people you’re working with to handle things and work together.

Often times, what will be discovered is that the team would like to make use of the sprint task board differently, or there isn’t a clear focus on how the estimates of remaining tasks effect the sprint burndown tracking chart. You might hear about how impediments to development could have been avoided or handled in a different manner. However, that type of inspection is only going to come from an established Scrum team, one that understands and knows how to operate within the Scrum Framework.

Sometimes, though, you have to inspect what’s happened before you even started the first sprint. Therefore, the most important thing about implementing Scrum is educating all of the people involved right at the beginning, before the first sprint. That doesn’t mean that every person needs to be shipped off to Certified Scrum Master (CSM) training in order to effectively implement Agile and work on a Scrum team. What it does mean is that every person needs to get a basic foundational understanding of the Agile methodology and the Scrum framework. It’s pretty hard to do something right, or at all, if you don’t know how to do it... Unfortunately, a lot of troubled implementations involve people just being told that they’re now on a Scrum team, we’re doing things like this, and be at the daily scrum at 8, thanks. Without the general knowledge of what Scrum is, those people are much more likely to want to fight the change. After all, who likes to make a change to something that they might think is working just fine, or that they’re really comfortable with?

When all of the people involved understand the what and the why of Scrum, it’s easier for them to start to adopt the framework as their own and feel more like a part of the solution and reason for the improvement. Since sending your entire team to CSM training is unrealistic with timing, travel, and costs, I think a better solution could be to bring in a CSM or two to run those training workshops with your team. If you’re planning on implementing Scrum across more teams, eventually, it might also be very helpful to have the CSM run the first couple of sprints while training a new successor to follow as the Scrum Master.

Teach your people how to fish, give them the general knowledge so that they’re primed and ready to hit the ground running and you’ll have more productive and creative sprints from the beginning. You’ll realize real improvement in your new product development by the third or fourth sprint that way, and your team will be that much better for the bit of effort spent on training them!

I&AM Basics Overview Presentation

2010-04-29T13:46:00.004-05:00

Here's the deck for an informal presentation I did at our I&AM Meetup Group meeting this week.

I&AM Basics

View more presentations from erosenzweig.

3 Pitfalls to Avoid with Role Based Access Control Projects

2010-02-23T13:50:00.003-06:00

3 Pitfalls to Avoid with Role Based Access Control Projects

By Eric Rosenzweig

Implementing a Role Based Access Control (RBAC) solution into your business is a great way to improve the efficiency with which to provide appropriate access to employees. It’s also a terrific means to more accurately and effectively certify that employee access is, and remains, correct. However, with such a large, wide-reaching project, there are some pitfalls, which should not be overlooked or underestimated, because they can adversely affect the whole project. Here are 3 of those pitfalls to be mindful of:

1. Getting the Support of your Non-IT Business Partners

After all, this is a project to make their lives easier. Creating a high level steering committee from the business side to work with IT in designing the business process around the new functionality of RBAC can get them involved and truly feeling like this is their project, as well. In our current economy, project funding is often reviewed in order to determine what’s absolutely necessary. The business, which generally controls the overall IT budget allocations, is going to look more favorably on projects that they have a better understanding of, are involved with themselves, and that will reduce operational costs. Not having their support can lead to a budget cut, less resources, or worse yet, the termination of your project. Not to mention, having their support will definitely make roll out a much smoother transition.

2. Missing Access Data

Whether your business already has an identity and access management solution in place and is looking to improve upon it by moving to RBAC, or if your business is going in fresh using RBAC as its first attempt at automated access management, the solution will only be as good as the access data currently available. Systematically, a role can only be built around systems, applications, and their entitlements that are stored by you, that you have real time access to, or that are reported to you via scheduled file uploads.

Ideally, all of your organization’s data will be available at the start of your RBAC implementation. If not, be cautious to not overlook certain access requirements that a business area might have to perform a specific job function, and adjust the role creation accordingly. For instance, if a marketing assistant role is created, but it doesn’t have the entitlements to access all of the data required to perform that role, then this will create greater headaches by having the incomplete role out there. A marketing assistant would need to do something else, outside of being assigned a role membership, in order to perform the job. Therefore, it’s better to not create that marketing assistant role until it’s complete.

Confused on how to know if a role created from all of the current access data is complete? Well, that’s where pitfall number 3 comes in…

3. Avoiding Business Role Ownership

In order to validate that the roles created are complete, people need to get involved in the process that are actually familiar with the job functions to be performed by a user within a proposed role, and what the access requirements would be for that person. The best way for those people to be involved and to have them vouch for the integrity of the roles, is to make them a role owner. If the assignment of a role owner responsibility is avoided, or the value of their collaboration on the initial role creation overlooked, then there’s no possible way to ensure that the roles are 100% accurate, effective, and that they’ll stay that way over time.

The role owner stays in tune with the role, realizes when there needs to be a change in its configuration, and certifies that it’s still correct and purposeful to their business. A role can be created based on the info available then presented to the manager or potential role owner to verify that role will do the job for them. They should have the knowledge and familiarity to let you know if something is missing.

Cleaning up identity management and access certification

2009-12-23T13:13:00.007-06:00

Very often the focus, or driver, of an identity and access management (IAM) solution is to get employees the access that they require quickly, accurately, and without having to make multiple separate requests. That's a great idea, and what I spend a lot of time working on. However, just as important would be removing access from employees who have been transferred or left the company. Unfortunately, this gets less attention.

A major component of a sound IAM program is an access certification piece. This is where managers, designated approvers, or oversight groups review employee access. Typically, this type of review should happen at least annually. During the access certification, the person responsible for approving the employee's access should also be able to remove access where it is no longer appropriate or necessary. That sounds easy enough. However, it’s not so easy if the certification tool doesn’t present clear and understandable data about the user’s access. People working outside of the information technology department -- the majority of most companies -- don't understand the components presented. Active Directory group names can be cryptic, web portal application group names can be misleading, and mainframe transaction codes are meaningless to almost everyone, yet those are the types of entitlements that could define employee access.

Ideally, you'll address this issue during your initial implementation. You'll provide clear, business friendly descriptions to go along with the specific access entitlements. If you've already got an IAM program running in your company, it's not too late. You just need to get back into your data and clean it up! Most likely, you'll need to enlist the help of the application and system owners to provide those descriptions. The good news is that it shouldn't be too difficult on their end, since they're the ones responsible for making sure the entitlements do what they're supposed to be doing, and they're probably the people who set those entitlements up in the first place.

You might question what the point of all of this is. Why jump through hoops for something that is working fine, as far as you can tell? Well, the "as far as you can tell" part is why. Access certification is only as valid and efficient as the approvers/managers performing the certifications. What happens when that manager doesn't understand what they're certifying because, to them, all of the access information might as well be written in Klingon? Rubber stamps happen, lots of them. Those approvers, who don't understand, take the easy way out of a task that they most likely view as a nuisance, anyway. The approver just clicks "certify" or "approve" and they're done. The annoying reminder emails stop coming and they don't have to think about access certification again until next year. The other scenario is that they don't even perform the certification, continue to ignore all of the reminder notifications, and hope that the compliance team doesn't come after them. Either way, the access certification process that you have built is entirely fruitless, at that point.

I'm not saying that once you improve the descriptions in your access reports for access certification that every single approver is going to honestly review each employee they're responsible for, there will always be some rubber stamps out there. The majority of approvers should find it interesting to see what access people have, once they can understand it. They'll also be more likely to clean up the access that the employee, who has transferred around the company for the past 20 years, has collected along the way. Clean up your access entitlement data with business friendly descriptions and you'll also be cleaning up your company's stale, or inappropriate, user access, as well!

Role Based Access Control: RBAC 101

2009-10-13T19:01:00.006-05:00

Role based access control, more commonly referred to as RBAC (r – back), is a functional enhancement to identity management solutions. I call it an enhancement because we're not reinventing the wheel with RBAC, just making identity management better, more efficient. The main components of an identity management solution are still present and used with RBAC, like user ID's, applications, and specific resource entitlements. It's just that RBAC introduces a new layer of structure and association between the ID's and the resource entitlements. The end result of that new layer is that the access requirements are easier to understand for everyone involved, from the business person who requests system access, to the manager who certifies that the access is appropriate, and to the tech support person who configures the access permissions.

So, what's this new layer introduced with RBAC? The roles! Almost every company is using some form of roles. It's just that they're probably not utilizing that information when they're managing identities and access rights. Generally, people are already grouped and identified within their companies by job titles/codes. For example, there could be account managers, account executives, sales managers, operations managers, payroll administrators, etc. The idea is that the users classified as payroll administrators should essentially be performing the same, or very similar, job tasks. Therefore, their system access requirements should also be the same.

Based off of that premise, using RBAC principles, a functional or business role would be created for the payroll administrator. The specific entitlements that a payroll administrator routinely uses would be grouped into Resource or IT roles based upon the system platform or application. This simplifies the access request for the new payroll administrator. Instead of that user having to know that they need x, y, and z from the HR system, a, b, and c from the IBM mainframe, and belong to 3 different Active Directory groups, all they have to do is request the "Payroll Administrator" role. That's it from the end user's perspective, easy. Behind the User Interface, the Payroll Administrator role is mapped to one or more Resource roles which have combined all of those fine grained entitlement details into easy to handle groupings. Provisioning of that access request can still be executed the way your current identity management solution handles it. Like I said, the components of your existing identity management solution are still needed, and can still be used.

In addition to the increased ease that RBAC provides to the end user selecting access, it also greatly simplifies access certification or governance. Your company should already be doing periodic reviews of user access to ensure that people have the access they need, not the access they've collected over the years or through job transfers. Unfortunately, the person or group responsible for that review, often times, is looking at highly technical entitlement descriptions. They don't understand what they are reviewing, especially if they are outside the technology department. Here's where using RBAC also tremendously helps that person out, by asking them to certify what they recognize and are qualified to review. They should be able to understand, and signoff on the fact, that John Doe is a Payroll Administrator and also a member of the Payroll Administrator functional role. Once again, that's it, no need for the reviewer to understand, or worse yet, blindly signoff on, what something like "boe_proll_p_read" means, anymore.

As you can see, the benefits of using RBAC within your organization are a much more efficient end user experience, greater consistency in the access that the users have, and the ability to quickly and accurately certify that the access your users have is correct. All of that adds up to less time wasted trying to get an employee the access needed to do their job and less risk of an employee having too much, or incorrect access.

How have you seen RBAC described or used? Have you found other major benefits to having RBAC used within your organization?

A Mostly Comprehensive Identity and Access Management (IAM) Vendor List

2009-08-20T10:35:00.006-05:00

On a current project, I've had to discover and evaluate some vendor offerings in the IAM (Identity & Access Management) space. Much of this information is easy enough to find, it's just time consuming. So, in an effort to help everyone out, here's a list of many IAM vendors that I've roughly attempted to sub-categorize:

IDENTITY MANAGEMENT (What can your user's system ID get access to?)

ASG - http://www.asg.com/
Avatier - http://www.avatier.com/
Aveksa - http://www.aveksa.com/
Beta Systems - http://www2.betasystems.com/en
BHOLD - http://www.bholdcompany.com/
BMC - http://www.bmc.com/
CA - http://www.ca.com/
Centrify - http://www.centrify.com/
Courion - http://www.courion.com/
Evidian - http://www.evidian.com/
Fischer International - http://www.fischerinternational.com/
Hitachi ID Systems - http://hitachi-id.com/
IBM - http://www.ibm.com/
Imanami - http://www.imanami.com/
NetIQ - http://www.netiq.com/
Novell - http://www.novell.com/
Oracle - http://www.oracle.com/
OSM - http://www.cosuser.com/
Quest - http://www.quest.com/
Radiant Logic - http://www.radiantlogic.com/
Sailpoint – http://www.sailpoint.com/
Sentillion - http://www.sentillion.com/ - Healthcare Identity Management
Sun - http://www.sun.com/
SymLabs - http://www.symlabs.com/
Voelcker - http://www.voelcker.com/

AUTHENTICATION (Is the person with the user ID who you think they are?)

ActivIdentity - http://www.actividentity.com/
Authentify - http://www.authentify.com/
Digital Persona - http://www.digitalpersona.com/
Entegrity - http://www.entegrity.com/
Entrust - http://www.entrust.com/
Digital Certificates Gemalto - http://www.gemalto.com/
GlobalSign - http://www.globalsign.com/ - Digital Certificates
Imprivata - http://www.imprivata.com/
Passlogix - http://www.passlogix.com/
RSA Security - http://www.rsasecurity.com/
Thales - http://iss.thalesgroup.com/
Tumbleweed - http://www.tumbleweed.com/ - Email Security
VASCO - http://www.vasco.com/

HARDWARE / APPLICATION DELIVERY / OTHER

A10 Networks - http://www.a10networks.com/ Hardware, Application Delivery
Aladdin - http://www.aladdin.com/ Enterprise Security
Citrix - http://www.citrix.com/ Application Delivery
Fastpass - http://www.fastpasscorp.com/ Password Management
HID - http://www.hidcorp.com/ Physical/Logical Access
Mirapoint - http://www.mirapoint.com/ Hardware, Email Security
Nortel - http://www.nortel.com/ Network Identity Management
Omnikey - http://www.omnikey.com/ Physical/Logical Access
Securent - http://www.securent.net/ Entitlement Management
Symantec - http://www.symantec.com/ Enterprise Security

If you have any updates to this list, let me know. I might maintain it for a little while, at least until Oracle buys the rest of them... Do you have any experience with one of these vendors? Was your experience so bad that I should save the world and remove them from this all powerful list? Have you had a really good experience? Will the White Sox make the playoffs?

Welcome to rIghT field

2009-08-11T13:53:00.005-05:00

Well, I'm finally getting the blog started. Upper Management really encourages this sort of activity...and I decided it's better to blog, than to check out the unemployment office. No, I'm exaggerating, I hope, but I've been thinking about this, and wanting to do something like this for a while. Of course, I just learned that the NY Times was at my neighbor's house, last week, to talk to him about his blog. I'm not really sure what he does, thought he worked for the Shedd Aquarium, nor have I ever heard of or read his blog, but, clearly, his blog is better than mine...for now. Obviously, it's just a matter of time until I'm sitting there with Matt, talking about the huge success of "from rIghT field" on "The Today Show".

Why the delay in starting such excitement, then? (And I'm sure all 5 of you have been waiting with baited breath...) Really, I couldn't decide on a specific topic or focus for my blog, but then I decided that was exactly it. This blog is going to be very specifically focused on nothing! I'm going Gump with this blog, "Life is like a box of chocolates, you never know what you're going to get." What I think about and what I'll write about will have something to do with IT, or technology in general, since that's what I do for a living (at least until I'm in Cannes talking about the premier of "from rIghT field - the movie"), but it's not going to be the same subject every time. That's what I'm sure of.

Who am I and why are you reading this? Unfortunately, I can't tell you why you're reading this, sorry. However, I can give you a little background on myself. I’ve been working in information technology since my e-commerce startup days in 2000, doing a little bit of everything. For the last 2 years, I have been consulting. Currently, I’m working to define business requirements, analyze vendor offerings, and implementation planning for a Role Based Access Control (RBAC) project driven by the information security team at a large financial institution.

Hopefully, from time to time, you'll find this blog to be helpful, thought provoking, argumentative, or entertaining. If not, you can always go read something else, but thanks for stopping by to see what's going on from rIghT field!