Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on August 15, 2007 10:44 AM.

The previous post in this blog was Hacking a biometric authentication system.

The next post in this blog is OAuth approaches.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Hacking a biometric authentication system | Main | OAuth approaches »

Identity, Security and Business Risk

Several years ago I had a vision for enterprise security management. In my vision I saw that security risk would be assigned by ERP modules. The risk would be assigned based on value of business processes, enterprise information capital, physical assets and identities. Once the risk was assessed, the ERP would then automatically create security policies. These policies would then be automatically enforced throughout the enterprise by the enterprise security/identity/physical access systems.

Further, I saw the problems that large enterprises were going to have understanding the security policies. In my vision, I saw that the ERP security module would display the enterprise graphically. A senior manager or Board member, would be able to slice and dice security visually. For example, enterprise assets could be displayed by levels of risk. This could then be displayed on a building by building basis. Then role access could be displayed overlaying this. The same thing could be done to display business processes by risk. All of this could then be displayed against real time.

At the time, I thought that this vision was not possible. The ERP vendors weren't players in the identity security space. There weren't any standards for identity access and authorization.

Today, the stage is becoming set to begin creating this vision into reality for several reasons:

1. There is the beginnings of an emergent identity data governance protocol in Liberty Alliance that would allow for intercommunication and enforcement of data security across disparate identity silos and identity protocols.
2. BPM and BPEL allow for protocols to manage business processes and tie this to security.
3. ERP vendors like Oracle and SAP are now players in the identity/security space.
4. Many physical access devices are now LDAP compliant allowing them to talk to the enterprise LDAP systems.
5. There is virtual directories allowing for rapid integration of enterprise databases into enterprise directories.

What's missing to complete the vision?

* No document management protocols allowing for interchange of document management security policies tied to identity management authentication and authorization protocols
* Lack of strong security modules in ERP that talk to the risk modules and the identity governance modules

I am quite optimistic that over the next three to four years, my vision will become reality.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on August 15, 2007 10:44 AM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/263

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)