Blog

NERC CIP and IAM Case Study Delivered

As previously announced, on Tuesday May 11^th, 2010, we hosted a webinar focused on PPL's strategy for streamlining and automating compliance with NERC CIP requirements and other regulations, such as SOX and FERC, by leveraging an Identity and Access Management (IAM) solution.

My co-presenter, Pete Johnson, Director of Information Assurance at PPL, did a fantastic job explaining the challenges and rationale that went into PPL's strategy and execution, as well as fielding many questions on the fly. Thanks Pete!

We had a pretty good turnout, and based on the number of questions we received during the Q&A portion, I would say it was pretty interactive.

We discussed topics in the area of provisioning, deprovisioning, privileged user management, organizational and project structure and alignment, handling compliance for legacy apps via identity activity monitoring; which reveals the level of interest in addressing these requirements in a more efficient manner than with manual labor. I felt that the audience was versed in NERC CIP and well aware of IAM, all of which helped make the session more valuable.

A replay of the webinar as well as the presentation are available here; and below is the presentation in online format.

As always, your comments and feedback on this webinar and topic are most welcome.

A Case Study: Addressing NERC CIP using an IAM Strategy

Given the increased relevance of NERC CIP compliance in the Energy sector over the last 12 months, we have been focusing on this topic from an Identity and Access Management (IAM) perspective since early this year.  Our CTO, Ash Motiwala posted a couple of very good blog articles on this subject: A NERC CIP Quick Win = Recertification + Closed Loop Deprovisioning and An Introduction to NERC CIP Compliance and Identity & Access Management Technologies.

Next week, on Tuesday, May 11^th from 3 to 4 pm EDT, we will be hosting a webinar featuring a case study by one of our clients in the Energy sector: PPL.  Details for the event and the registration page are available here.

PPL, formerly known as PP&L or Pennsylvania Power and Light, is an energy company headquartered in Allentown, Pennsylvania.  It currently controls over 11,000 megawatts (MW) of electrical generating capacity in the United States, primarily in Pennsylvania and Montana, and delivers electricity to 1.4 million customers in Pennsylvania.

I will be presenting, alongside Pete Johnson, Director of Information Assurance at PPL, and will be discussing their approach to streamlining and maintaining compliance with several regulatory requirements, with a specific focus on NERC CIP, using IAM.  I had the opportunity to work directly with Pete and the PPL team in defining and starting the execution on their IAM strategy, and I believe that this case study will be valuable to any organization subject to multiple regulations in any vertical, not just Energy.  Evidently, the stiff fines that are now enforceable by NERC (of up to US$1M per incident per day), are a very strong driver in the Energy vertical.

Consistent with our style, this session will be very "meat-and-potatoes".  We intend to keep this vendor agnostic, without marketing jargon, focusing mainly on the practical knowledge and experience gained by PPL.  Our intended audience is IT Managers, IT Professionals, CIO, CISO, COO, CTO, IT Directors, and Solution Architects.  We are planning to leave time for a Q&A session towards the end, so I hope you can join us.

SaaS Provisioning: It's About the Connectors!

Last week, Identropy launched IC2, our Identity Management gateway for the cloud.  We also blogged about the product and how it empowers current User Provisioning Systems to seamlessly connect into IC2 to manage the onboarding, offboarding and orphan account reporting for SaaS applications.

The rationale for Identropy developing IC2 centers around one simple question: What is the easiest way for a corporation to manage the digital identities of users for the multiple hosted applications that are not within their enterprise control? 

Although the move towards SaaS applications is a fundamental paradigm shift from managing enterprise applications, the core identity management problem surrounding user provisioning remains the same.  After conversations with our clients, it was apparent that the same business processes that govern the onboarding and offboarding processes for enterprise applications quite readily map to the same processes for SaaS applications. Similarly, the same role management infrastructure that is utilized for internal applications could easily serve up roles for SaaS applications.  Couple this with the following statistic from Gartner's Magic Quadrant for User Provisioning):

"...as of mid 2008, approximately 20% to 25% of midsize to large enterprises worldwide, across all industries and sectors, have implemented some form of user provisioning. An additional 20% to 25% are evaluating potential solutions..."

Conclusion? SaaS Provisioning for most organizations is all about the "connectors", or the little pieces of software that connect the provisioning workflow engine to enterprise systems like Active Directory, Oracle databases, and all the other applications in your environment.  That's where IC2 (Identity Connector to the Cloud) comes in.  It's a connector gateway that speaks an industry standard known as SPML.  By using SPML, we could connect your existing provisioning server to IC2.  On the backend, IC2 connects to your SaaS applications in the cloud.  The net result is the easiest way (think days, not months) for your organization's existing provisioning server to extend out user management to cloud applications.

IT Security Spending Trends

A colleague recently forwarded me an article referencing ComTIA’s 7th annual “Trend in Information Security” survey.  I’ve always been a bit of a skeptic when it comes to some of these surveys, but with the current state of IT spending and how Information Security is impacted I needed to look into this a bit further.

Being in IT and Information Security now for close to twenty years it’s safe to say I’ve been through a couple of cycles where IT spending has been impacted based on challenging economic times.

Continuing to keep a pulse reading on the market and IT spending we’ve had our share of customers responding with the typical “Budgets are on hold” statements and “”We’ve just laid off 20% of our IT staff.”  No question IT spending has suffered, but I can attest to CompTIA’s survey on the fact we’ve experienced IT Security spending sustain itself and even increase in some areas.  Vendors we partner with who are focused on security solutions addressing regulatory requirements and operations efficiencies have had record setting quarters particularly Q4 of ’08 and most recently Q1 in ’09.
One of the key areas we’ve experienced increased activity in IT Security spending has been with on-boarding and off-boarding of employee accounts resulting from either downsizing or mergers and acquisitions.  These are Identity Management specific tasks and the focus and attention in these areas are required to address regulatory requirements, operations efficiencies and mitigating any potential security risks.  Organizations have worked diligently addressing these tasks manually, but when companies are now operating with a reduced staff members cutting corners to achieve these critical tasks should not be an option.  There are short term and long term gains in automating Account Provisioning and Deprovisioning both from a cost saving and operational efficiencies.