Thursday, July 10, 2008
Getting NISTy - UPDATEOracle's Nishant Kaushik has a great post today attacking the NIST RBAC standard as fatally flawed.
He asks the question, "Is the NIST RBAC standard fundamentally flawed, given that it is missing a key element in access control decisions - relationships...?" and answers himself: "It is, and companies looking to the NIST RBAC standard as the template for how to approach role management are going to end up missing the boat."
I'll simply say that I find NIST's RBAC to be about as useful as the ISO network model - a great tool to tailor a discussion around, but really worthless as a practical implementation. Alternatively, you could thing of it as being in the same relationship to actual role implementation as the Dept. of Defense's ADA programming language is to Java or C#.
There has to be a better way.
UPDATE: My sometime drinking buddy, Archie Reed from HP, has posted a good summary of the current thinking, planning and drafting of standards for role management and RBAC.
Wednesday, August 22, 2007
Oracle to buy BridgeStream?Dan Primack, over at PEHUB, threw out a rumor the other day that Oracle was about to acquire BridgeStream, the role definition and management company. I've followed the privately held San Francisco startup for the past couple of years, and even just last summer believed that acquisition wasn't in the cards just yet:
"With some preaching a top-down approach of creating roles based on business rules and practices while others advocate a bottoms up approach emphasizing audits and data mining of what people actually do, there's no definitive "best practices" for role creation. While it seems obvious that, eventually, a synthesis of these methods will emerge as the standard way to create and manage roles, there's still enough diversity in the marketplace that the big identity management vendors aren't willing to bet on the final outcome. Instead, they'll partner with many different role creation companies. That means that folks like Bridgestream, Eurekify, Trusted Network Technologies, BHOLD, Blackbird, Engiweb, Prodigen, SecurIT, and Vaau will maintain their independence for now with only the remote possibility that should any of them founder with customers their investors might seek to sell out at fire sale prices."
But I think I can give a fair amount of credence to Primack's rumor for two reasons:
1) Oracle is still on an acquisition roll, and getting deeper into roles makes sense for them;
2) Role management needs to be intimately connected to the IdM suite of products, something that simply parternering with an independent role management company doesn't give a major vendor.
Look for this to become official over the next week or so...
© 2003-2006 The Virtual Quill, All Rights Reserved Home