Last week NRCan gave a presentation to the Conference Board of Canada on the role of social media in risk management. The presentation took the usual form: we discussed our experiences in managing the risk of social media implementation, focused on how to address quality of content on wikis, and how to guide and inform employees on the acceptable use of new and open technologies.

What was different about this particular presentation was the inclusion of a few slides on how social media could be used to contribute to – and in fact reinforce – risk management activities. We had an audience interested in all aspects of risk management, and as good presenters we looked at our own NRCan Wiki, our blogs and other tools to find good examples to illustrate how social media could help reduce risks – or at least serve as a way to identify risks earlier.

Joe the security guy
Take one of our IT security guys for example – let’s call him Joe . He’s a well-respected and knowledgeable NRCan employee, whose work concerns protecting corporate systems and ensuring that we’re kept well informed on any potential risks. Joe wrote a blog entry about the dangers of Twitter. It was a good, well thought out entry that generated a discussion amongst employees. Some employees were concerned that this attention to potential risk could slow things down, and the issue was discussed from a diverse variety of perspectives.

How does this support better risk management? The first thing to note is that Joe posted his blog entry voluntarily – not because he was asked or because there had been a problem, but because he saw something on the horizon and took the initiative to address it by starting a discussion with his fellow employees. This discussion took place before the Department had officially identified Twitter as a tool being used by employees, and long before it had indentified the need to provide relevant policies and guidelines.

Now that the need has arisen, the policy does not need to start from square one. There is already a base of research and opinion to be found in the discussion sparked by Joe’s blog entry. Joe has created a living repository for information and knowledge that could play a valuable role in building a risk management approach, a repository fuelled by the experiences of NRCan employees. Now policies can be built not only on theoretical implementation plans, but also on how real employees have chosen to make use of social media tools.

This is the power of social media: to build on the wisdom of crowds. In the social media forum, the latest concepts are discussed by people that have an interest in the topic, no matter whether they have an official role in the file or not. With social media, a body of valuable knowledge and experience can grow organically, fuelled by the passion and interest of real people, including those who may not have been reached through traditional lines of communication.

We must not only recognize the value but also make use of the discussions and analyses that are generated through the knowledge skunkworks of social media. Taking this inclusive and proactive approach will help us anticipate new trends and build corporate knowledge, not only for managing risk but also for any other subject matter or mandate.

The other day I was re-configuring a VmWare instance of our SiteMinder product when a simple realization hit me. What if this was an image containing some kind of secure application or sensitive financial data? I would be able to change the application, change the data or plant a virus. And if someone else with no knowledge of my attack copied the image to a production environment, they’d have no idea that something was wrong. Imagine if I had access to 100s or 1000s of images. The amount of damage would be significant.

The answer is governance. More precisely, it’s about setting up a process to ensure that access to sensitive images is properly managed and audited. This suggests that virtual images, or virtualization itself, could benefit from some of the traditional identity management best practices. So let’s examine specific issues that would have to be addressed.

First, a virtual image needs to be given an identity. It’s not sufficient to think of an image being a simple resource. Images end up running on virtual hosts, consume host resources, and run applications. Hence images require an identity that can be tracked. We have to track not only the user tinkering with the image, but the image itself because it will run on a virtual host. And while we’re at it, we have to track the virtual host itself. But we already knew that governance must be comprehensive.

Now that we have tagged an image with an identity, we can apply traditional identity management processes to virtualization. With the focus on the administrator, we can:

¾      Administer specific images

¾      Establish role-based administrative access

¾      Delegate administrative access

¾      Enforce administrative SoD

¾      Approve administrative change requests

¾      Audit administrative actions

¾      Generate compliance reports and perform attestation

¾      Remediate excessive administrative rights

Additionally we can begin to express policies that govern the rights an image has on a virtual host at run-time. Specifically we can:

¾      Restrict image to run on a specific host

¾      Prevent image from executing specific applications or leveraging specific host resources

¾      Capture and correlate events generated by the image

¾      Generate report on run time behavior

This list of capabilities looks a lot like traditional identity lifecycle management being used to help mitigate risk and address compliance requirements, doesn’t it? With the use of virtualization on the rise, the need for IAM systems to manage virtualization will emerge.

And while IAM for virtualization will work for few virtual images, the only way to scale is for virtualization management systems to integrate with IAM systems. Such integration will facilitate end-to-end virtualization governance and drive additional value for organizations that have already adopted IAM processes.

It’s likely the existing IAM systems will be called upon to support virtualization (we don’t want redundant silos of IAM, do we?) and integrate with virtualization management systems. To support such integration IAM systems have to become service-aware and offer IaaS (Identity as a Service) capabilities.