PCI compliance: What it is and why it matters (Q&A) | InSecurity Complex - CNET News

PCI compliance: What it is and why it matters (Q&A) | InSecurity Complex - CNET News.

The Benefits of Feature Teams

The Benefits of Feature Teams | Mike Cohn's Blog - Succeeding With Agile®.

Sixth Sense - Must Watch

Sun Microsystems - Webinar: Identity Management for Healthcare

Join this free Webinar to learn how Sun's identity management solutions can help your organization to:

• Automate management of digital identities for other providers, patients, physicians, clinicians, and payors
• Provide single sign-on (SSO) and secure federated access to privacy-regulated healthcare information while adhering to strict mandates
• Enable delegated, self-service password management
• Comply with the Health Insurance Portability and Accountability Act (HIPAA), internal security policies, and corporate governance policies with complete auditing and reporting capabilities

Sun identity management solutions make it easier for healthcare organizations to manage and share digital information.

Sun Microsystems - Webinar: Identity Management for Healthcare.

Access Certification Best Practices Whitepaper

Recently, with the help of our wonderful partners at Simeio Solutions, we co-authored a set of best practices for undertaking Access Certification projects.

Abstract:

As organizations deal with increasingly complex internal structures and an array of regulatory requirements, manual or piecemeal access control processes are no longer adequate. To ensure compliance, companies around the world are implementing automated certification processes that provide needed security and enable greater business agility. By deploying Sun Role Manager and leveraging best practices developed by Simeio Solutions, a Sun preferred partner, your organization can quickly and effectively implement automated certification that meets your specific requirements.

Click here to download the whitepaper.

On Data Ownership...

In order to understand the concept of data ownership, I think its important to first attempt to understand how data can be classified within an enterprise. With most organizations, data can be classified into three main categories:

1) Classified: would represent the most critical business information, intended for use strictly for authorized personnel. This could include PII (personally identifiable information) and this could be personal credit level information or health related information.

2) Confidential: this would include less sensitive information, can be used within the organization when deemed appropriate by designated data owners. 

3) Public: this is all information that can be shared outside the organization, once approved. 

It is important to understand what the word "data" means within the context of an organization. Data can be any information which could include personal employee information beginning with their street address to their social security number, health care records (PII or ePHI), intellectual property, any financial information, and most importantly any access control or entitlement information, granting access to critical target systems and business applications. This could also include network access level information, from IP addresses to server names to account ids and passwords. As you can tell, the list can explode, and every organization defines it uniquely.

A data owner can now be defined as designated party responsible for maintaining the integrity of the information we just attempted to define above. A data owner is responsible to manage, update and assess any risks associated to data. Eventhough the data eventually belongs to the organization, a data owner shepherds the data and protects it against any harmful entities and ensures that it is maintained with accordance to the organization's pre-determined guidelines. Finally, data owners take the necessary steps to ensure controls and policies are implemented and managed in the storage, handling, distribution, and regular usage of this data.

From a compliance perspective, it is extremely important for data owners to attest the users authorized to access the information they are owners for. With identity based information, periodic reviews that allow data owners to verify permissions given to employees by their business managers are indeed what the employee is accessing, and should have access to. The advantages of this are:

1) Prevents data hoarding, with too many users accessing data. Managers may not be aware of the criticality of the data and may approve access to the data, such as an Active Directory group membership, an SAP Role or a RACF group.

2) Allows data owners to bring their expertise to the table and attest users accessing the data while revoking access to users that should not be permitted to view this data.

3) Allows data owners to gauge the interest levels in the data they manage and allows them to create alternative views to information if possible, and then ensuring the right users are accessing the appropriate data.

In the market today, products such as Sun Role Manager provide this attestation capability that allows designated data owners to attest the users that access the data they are owners for. This is a very data centric view and a bottom up approach to user attestation. Nevertheless, a necessary approach that allows for a second set of eyes validating the integrity of critical information...I mean, data.

Role Manager 5.0 and Directory Server 7.0 Product Updates

Check out the webinar replay done by Nick Wooler and me on the latest product offerings (Sun Role Manager 5.0 and Directory Server 7.0):

The presentation can be downloaded below:

Download RM5_DSEE7_Customer_Webinar_Presentation_v5

Sun Role Manager 5.0 Product Documentation Now Available

Product documentation for Sun Role Manager 5.0 is now live on wikis.sun.com!

An vast array of online resources are now available, right from installation guides to white-papers with a lot more on its way. Our teams are currently hard at work on publishing performance guides, database tuning guides, recommended architecture and hardware sizing and capacity planning documents, so stay tuned.

Product documentation for Sun Role Manager 5.0 is can now be viewed and downloaded here. 

BTQ Podcast - Real World Role Management

Check out the podcast by Matt Modica from ESI and Nick Crown, PLM for Sun Role Manager & Identity Manager on here. 

The discussion is centered around the Identity & Access Mgmt. project undertaken by ESI, their architecture, challenges faced and lessons learned.

Sun Role Manager 5.0 Resources

Sun Role Manager 5.0 released, check out the list of resources on the Sun website:

Sun Role Manager Website

Sun Role Manager 5.0 Press Release

Sun Role Manager Product Download

Sun Role Manager 5.0 Product Documentation Wiki

Sun Role Manager 5.0 Solutions Brief

Sun Role Manager 5.0 Product Overview Screencast

Sun Role Manager 5.0 SIEM Integration Brief

Sun Role Manager 5.0 Role Engineering Whitepaper

Access Certification with Sun Role Manager Whitepaper

Sun Role Manager Joint Whitepaper on Access Certifications with partner Simeio Solutions

Everyday Role Management Webinar

Identity Administration & Compliance Webinar