What is Zermatt?
SOX doesn’t matter as much as a “change of SOX.” HIPAA does not matter as much as a change to HIPAA. Basil I does not matter so much as does Basel II. Current regulations don’t matter as much as the next regulation does.
We live in an endless torrent of new laws, new regulations, changes to older regulations, and new interpretations. The true value of any tool or technology that we use to deal with these regulations is not merely in how well it handles static regulation, but how well it handles the next regulation, or a change to a current regulation. Technology solutions to GRC challenges should be easily adaptable through such things as extension and interoperability. Adaptable technologies permit greater agility in getting ahead of the next big regulatory, risk, or governance challenge.
Zermatt is an example of an adaptable GRC Microsoft technology. Zermatt is a fully supported developer framework that helps developers build claims–aware applications—that is, applications that can handle a set of user attributes like a user’s role and permissions. Zermatt’s model is open and extensible. An identity metasystem transforms claims from one protocol to another (from SAML to WS-Trust, for example).
Identity and access management is a major component of many regulatory controls and is also critical to worker productivity. Businesses want to get workers up and working quickly, but must only allow access to resources by the appropriate people. A business role is typically given access to multiple siloed resources. In a multiple-silo environment, a worker’s identity must be established and access provided in each of the silos. Providing this access can be maddening and painful for administrators. It can also take days or even weeks before workers can start being productive. If an average worker is delayed one week in a company with 1000 employees, the accumulated delay is 1000 weeks or 5000 days (in a 5-day work week), which is almost 14 years of delay. After a worker is on board, they have to sign in and out of each single silo on a daily basis, which is a tremendous drag on productivity.
If a worker could be quickly set up with a simple sign-on to all the appropriate systems, it would take less time for workers to start being productive and overall productivity would be greater. Administrator’s lives would be easier.
A single sign-on to all the siloed resources would be faster, but less secure and more risky. If the single sign-on credentials are compromised, security is broken. So what businesses need is not a single sign-on, but a simple secure sign-on.
Enter Zermatt. Zermatt enables a simple secure sign-on scenario. Each siloed application can continue to maintain its own security while tying into a reusable identity metasystem. This metasystem transforms the credentials supplied by a user to those required by interoperable silos. The user experience is much better. The administration is much simplified.
Let’s say a new regulation requires additional processes by a worker. A new silo is hooked into the metasystem. A new application is developed and added to the worker’s repertoire. If the application uses Zermatt’s identity framework it can plug into the reusable identity metasystem and maintain a secure sign-on that is simple enough for people to easily use, but which is also strong, revocable, and manageable. The worker’s productivity is unimpaired by additional credentials or sign-on requirements. New workers can become productive more quickly.
Many systems today require workers to use a number of credentials, and Zermatt helps us get closer to securely carry and use one set of credentials. We might say that Zermatt offers the potential of both better regulatory compliance in terms of identity and access management and greater agility in terms of worker productivity, both for workers and administrators.
Some of Zermatt’s potential benefits:
- Ease of administration. Potential to reduce the number and complexity of multiple administrator consoles. Easier to reconfigure as regulations change.
- Ease of use for users. Makes possible automated provisioning, which can drastically reduce the amount of time to make new employees productive.
- Improved security. Claims–based systems are recognized as providing a high level of security. Hooking into a centralized identity bus permits better control of workers who no longer should have access to resources.
- Boosted developer productivity. Developers can concentrate on the application logic and leave the identity management to Zermatt and the identity metasystem.
- Externalized authentication capabilities. Authentication is not hard-coded or cohesively joined to the application itself.
- Centralized authentication (and authorization). Access and permissions to multiple siloed resources can be granted or revoked very quickly and accurately.
- Single sign-on capability. A claims–based application can plug into a centralized reusable identity metasystem that can transform claims to different forms required by each silo.
- Ready to federate with other organizations or platforms. The identity metasystem makes federation interfaces available.
- Supports multi-hop delegation. One user can act as another user. Includes an identity selector control that lets users choose which identity they wish to use.
- Reporting. Enables development of fully fledged integrated reporting instead of administrators having to view logs on a per-application basis.
- Has potential to bridge on-premise and hosted solutions.
Joe Scalone Contributing author and partner to SAT Regulation Compliance blog.