Identity and Access Management - Blog

Identity and Access Management community: Discover and share best practices to control IAM for your real world.


  • Is it possible to be compliant without being secure? Or vice versa?

    While on the face of it, this may seemingly be a purely intellectual pursuit, it does have practical implications for today’s organizations. First, let’s tackle the intellectual aspect of this question. Intellectually speaking, the answer is yes, an organization can be compliant without being secure and can also be secure without being compliant. How is this possible you ask? It all has to do with time perspective. You see, compliance is about looking back. Organizations always have a pending audit date. It might be next month, next quarter or next year. Regardless, the IT staff...
  • Four Symptoms of an IAM Project Going Off-Track

    Everyone has an identity and access management (IAM) project. Whether it’s something as simple as providing authorized access to a new cloud application or something as complex as implementing governance for an entire diverse enterprise with tens-of-thousands of users, hundreds of applications, and a heavy compliance burden, the objectives are the same (delivering access in a manner that preserves security and achieves compliance without disrupting operations). Unfortunately the vast majority of IAM projects under-deliver, end up being off-base once they are complete, worked well for the...
  • The Three Fatal Flaws of IAM … is Your Project Guilty of One?

    Identity and access management is hard. I don’t think anyone would argue with that statement. After all we have the whole world as evidence. It seems that everywhere you turn you run into another company in the fifth year of their two-year IAM project, an organization that is way over budget and only marginally closer to reaching their IAM objectives, or the company that’s just struggling to keep its head above water from an IAM perspective. Of course there are companies that have gotten it right, but that’s not who I’m writing to. I would like to talk to the rest of us…those...
  • A Few Interesting Things I Learned at a Recent Healthcare Compliance Conference

    Recently, I had the opportunity to attend the Health Care Compliance Association’s (HCCA) 19 th annual compliance institute conference. There were a number of very interesting speakers including the Senior Advisor for HIPAA Compliance and Enforcement from the US Department of Health and Human Services and the Deputy Assistant Director of the FBI’s Cyber Intelligence, Outreach, and Support branch. After attending their presentations, it was quite clear that the challenges facing healthcare organizations might be more complex than other industries because it’s one of the only sector...
  • Context-aware Security is an Affordable Reality – With Dell’s Security Analytics Engine

    If you’ve been following the trends (or listening to the analysts) the next wave of security is centered on a concept called context-aware or adaptive security. It overcomes the static yes/no nature of traditional security with an approach that takes into account the context of an access request and adapts enforcement to perfectly suit the situation. The problem is most solutions of this type are expensive, extremely complex, and place the implementing organization on a long and difficult road before they can realize the benefits of such a solution. But not all contextual security solutions...
  • Solving next generation identity challenges for mobile & web applications

    I'm honored to have been asked to speak on this topic at Signal Developer Conference for Communications in San Francisco. This topic is of particular interest to me since it will, in some ways, be a coming out party for some of the latest work we have done around Dell One Defender , our two-factor authentication product. We have a great history with Defender that goes back to around 2005 when we acquired the UK-based company PassGo. Before the acquisition, Defender was in market a number of years under the PassGo banner. One of the first things we did was engineer Defender to be much more tightly...
  • Who’s Keeping Score? How Contextual Security Can Work in Your Organization

    Imagine if you could move security from a series of static yes/no decisions to a dynamic, adaptive approach that takes into account the circumstances of an access request and enforces the correct decision for the individual situation. This is an emerging practice called contextual (or adaptive) security that is proving to have major positive impacts at the organizations that choose to adopt this approach. Let me explain with an example. There are a number of factors that come into play when deciding who should be able to access what: Identity information such as role and authentication...
  • Change. Adapt. Adjust. Identity and access management at the speed of business

    IAM: A case of mistaken identity. In light of recent, well-publicized cyber-attacks , it is apparent that barriers such as manual processes to request and grant access, the expansion of new applications, and heavy IT involvement and sometimes over-provisioning to ensure access, have left many organizations at risk and vulnerable to security risks. However, the next-generation of Identity and Access solutions are changing how the market views access governance by helping organizations solve current and future security risks while also adding business value through increased operational agility...
  • When security lacks context … AKA: that guy with a big, annoying ring of keys

    Let’s talk for a minute about security, or more specifically, let’s talk about the security of your IT systems, your users, and the data that they both use to further your business. Security is really important, after all if your stuff falls into the wrong hands all kinds of trouble results. So we implement practices and systems to make sure that that does not happen. But the trouble comes in HOW we secure our crown jewels. Because our environments have grown organically over time and not with an ideal, perfect end-state determined even before we started the business, security has...
  • 30 Stories Up Without a Net: Balancing Productivity and Security

    Let’s face it, IT Directors or folks who serve in that capacity are constantly struggling to “walk the tightrope” between too much (or not enough) security and too little (or too much) access. On the one hand, the IT people are constantly being urged by the security team to turn up the security controls to “11” ensuring a very secure infrastructure. But the cost is that some (or many) users will not have ready access to the apps and information they need to do their jobs, which forces them into unnatural acts to accomplish that for which they get paid. On the other...