Processes of Identity and Access Management

Last Friday our volunteers group met again in Frankfurt for the 9th quarterly meeting.

After a short introduction and welcome to our new members, the working groups reported their progress.
As modelling is our key activity, the modelling approach was debated intensively.
From start it was the main intention to collect all existing models and implemented enterprise processes trying to factor out a generic process layer. This bottom-up approach turned out to be not easy and offered some pit-falls.
In order to complement this approach and to create a more general “birds eye” view the group started modelling following a top down method.
Each method has its merits and its disadvantage:

• While the bottom-up way always maintains a solid foothold on proven real-world implementations it can on the other hand lead to arbitrary results in terms of naming folklore and physical artefacts.
• The top-down path however starts from a clear conceptual set of definitions and derives its conceptual framework by stepwise simple but compelling refinements. Especially due to its use of coloured Petri Nets it is however blamed for its theoretical approach; virtually incomprehensible for practitioners.

Both approaches are in fact meant to meet at common ground somewhere in the middle – on the “generic layer”. We hence expect to take the best of both worlds.
And the result has to be shown to the world. We hope to be able to do so at the 2nd European Identity Conference, starting April 22nd in Munich. You are welcome to visit us at our both there. – See you in April.

We like to invite you to attend our 9th regular quarterly GenericIAM meeting. We will meet Friday, February 8th, at the NIFIS in Frankfurt. We have scheduled the meeting from 09:00 to 17:00.

The location will be NIFIS e.V.
Hanauer Landstraße 300
Frankfurt am Main
Germany
Phone: +49 69 40809370
Fax: +49 69 40147159
Internet: http://www.nifis.de

The strategic questions related to Identity Management are frequently repeated in every new project. Enough reason for me to write an article (in German) which gives answers to those people, who have to think in strategic dimensions (mostly CIOs).

1. When do we need Identity Management?
2. Which risks do we have today?
3. How mature are the others?
4. Why couldn´t we wait to the time we urgently need it?
5. What is different in IAM-projects?
6. What are the most common mistakes in IAM-projects?
7. Which objectives could we support ?
8. What is the most cost effectiv way for a solution?
9. Who supports the CIO?
10. What doubleSlash can do?

By the way: Corbin H. Links wrote a great post about the "Strategic System Idealism and Legacy Reality".

Today we added a nice widget on the right sidebar. Its called "Blog Rush" and is the new product from John Reese of Income.com. I found the hint to this widget on Infopirat.

How Does BlogRush Work?

Basically, you sign up for BlogRush, submit your blog in the proper category, and then add the widget. The widget shows 5 links to blog posts in your same category.

For every pageview you get, one of your posts will show up on another BlogRush widget on someone else’s blog. The other person’s blog will be in the same category as your blog.

Give it a try, embed it in your blog.

We like to invite you to attend our 8th regular quarterly GenericIAM meeting. We will meet Friday, October 12th, at the NIFIS in Frankfurt. We have scheduled the meeting from 09:00 to 17:00.

The location will be NIFIS e.V.
Hanauer Landstraße 300
Frankfurt am Main
Germany
Phone: +49 69 40809370
Fax: +49 69 40147159
Internet: http://www.nifis.de

The father of our group GenericIAM, Dr. Horst Walther starts a series of articles about digital identities in the famous german IT-Newspaper "Computerwoche".

This week (number 23, from june 8th) the first part was published on page 28/29 with the headline "No integration without digital identities". The next three articles will follow in the emerging editions.

We like to invite you to attend our 7th regular quarterly GenericIAM meeting.

We will meet Friday, June 29th, in the CSC building in Munich. We have scheduled the meeting from 09:00 to 17:00.

We thank Mrs. Dr. Angelika Steinacker, CSC for hosting the meeting.

The location will be
CSC, IT Management & Security
Sandstr. 7-9
80335 München
Germany
Phone: +49.89.5908.6485
Fax: +49.89.5908.6503
Internet: http://www.de.csc.com
See: how to get there

Last monday we hold our 6th GenericIAM meeting. The first European Identity Conference (EIC) hosted the meeting. We used this shortened meeting to present our initiative to some interested guests. Subsequent to this we had the privilege to listen to Dave Miller, CISO for Covisint. Related to IAM in general he explained the strategies and activities of Covisint. 

The feedback from our guests was pretty good. They all agreed with us that we definitively need an IAM process model. We would be pleased to stay in contact with our guests. Perhaps someone likes to join our initiative.

Processes and future:

M. Neher: In which way do you develop your process models?

Dr. Walther: "The fundamental idea is to identify recurring similarities which we can arrange in consistent models. This is the only way we can get general, universal models.
We decided to take five steps:

1. Selection of processes
   The members decide itself which of their processes will be provided for the initiative.
2. Take-over
   Our task force “Modelling” takes over the models and documents them in a formal manner.
3. Modelling
   The aim of this step is to identify and isolate general aspects of the processes. These aspects are used for our own models.
4. Quality assurance
   GenericIAM authorises modelled processes after proving them. For this purpose special reviewer control all the models. If necessary we engage external experts.
5. Publication
   The results of the modelling activities will be published by GenericIAM annually."

M. Neher: Can you tell us something about concrete results?

Dr. Walther: "On the one hand we could gain very useful input from consumer companies like BMW Group, Dekra and the WestLB. On the other hand consultants and software integrators like doubleSlash, iC Consult and ism offered stuff from practice.
I’m very optimistic that we will present our first reference model in late 2007 to the public."

M. Neher: Is there any concrete timetable for your standardisation efforts?

Dr. Walther: "We depend on voluntary work. So we are not able to plan our activities in a very strict way. But we have the aim to go international and to publish our first reference model in 2007. "

M. Neher: Please tell us something about the next steps. Do you concentrate only on the German market?

Dr. Walther: "I gave some hints already. It doesn’t make sense to continue as a isolated German initiative. We started in the German region to hold the costs low, because every member has to come up for them on their own. The only way to be successful is to integrate international standardisation organisations. We have several promising contacts with members of the OASIS and ITU."

M. Neher: GenericIAM started with a new blog not long ago - contrary to the German webpage – completely in English. Why did you decided to do so?

Dr. Walther: "English is indeed the language for international communications and publications. We decided to manage the webpage in German and English. This is possible because of the static content on the webpage. The blog contains much more dynamic content. So we decided to keep the blog in English, only."

The Members:

M. Neher: If we have a look at the members of GenericIAM we find classical IT-companies like Novell, Oracle and Sun, but also companies from other industrial sectors like Dekra or the WestLB. What are the reasons to participate in GenericIAM?

Dr. Walther: "Identity Management and Access Management aren’t limited to IT-companies. Even if both disciplines weren’t termed like this, both are older than information technology. The new thing is that companies get a holistic view of the individual access to corporate resources. Thus IAM is part of every company’s management infrastructure. First of all we concentrated on consumer companies, whose implemented processes we would have analysed for similarities in order to get a general process model. To achieve this we appreciate every member which can help us. Accordingly our members are analysts, users, consultants, software integrators and vendors."

M. Neher: Won’t the participating companies loose their edge in knowledge?

Dr. Walther: "This is a question of all standardisation activities. It’s a matter of fact that there will always be leaders and other who follow. Consolidated everyone wins, if you can refer to an accepted standard. Consumer companies often see IAM as a needful task without any relevance for competition. Their aim is to implement IAM-functions in an easy and cheap way. However the more standardised processes we have the easier this can be achieved.
The most likely to have such an edge of knowledge – if there is one – are analysts, consultants and software integrators. But up to now we couldn’t find someone with any significant advance in this field. We take this as indication that this task cannot be managed by a single company but rather by joined efforts."