This year at SXSW I moderated a panel about OpenID, OAuth and data portability in the Enterprise. We had a community lunch after the panel, and walking back to the convention center, I had an insight about a key missing piece of software - Privileged Account Management (PAM) for the Social Web - how are companies managing multiple employees logging in to their official Twitter, Facebook and YouTube accounts?
I thought I should also explain some key things to help understand conventional PAM then get to social web PAM in this post covering:
- regular identity management in the enterprise,
- regular Privileged Account Management in the enterprise
- Privileged Account Management for the Social Web.
1) IdM (Identity Management) in the Enterprise
There are two words you need to know to get IdM and the enterprise: "provisioning" and "termination".
a) An employee is hired by a company. In order to login to the company's computer systems to do their work (assuming they are a knowledge worker), they need to be provisioned with an "identity" that they can use to log in to the company systems.
b) When an employee leaves (retires, quits, laid off, fired), the company must terminate this identity in the computer systems so that the employee no longer has access to these systems.
The next thing to understand is logs.
So, an employee uses the company identity to do their work and the company keeps logs of what they do on company systems. This kind of logging is particularly important for things like accounting systems - it is used to audit and check that things are being accurately recorded, and who did what in these systems is monitored, thus addressing fraud with strong accountability.
I will write more about other key words to understand about IdM in the enterprise (authentication, authorization, roles, directories) but I will save these for another post.
2) Ok, so what is Privileged Account Management in the Enterprise?
A privileged account is an "über"-account that has special privileges. It is the root account on a UNIX system, a Windows Administrator account, the owner of a database or router access. These kinds of accounts are required for the systems to function, are used for day-to-day maintenance of systems and can be vital in emergency access scenarios.
They are not "owned" by one person, but are instead co-managed by several administrators. Failure to control access to privileged accounts, knowing who is using the account and when, has led to some of the massive frauds that have occurred in financial systems. Because of this, the auditing of logs of these accounts are now part of compliance mandates in
- Sarbanes-Oxley
- the Payment Card Industry Data Security Standard (PCI DSS),
- the Federal Energy Regulatory Commission (FERC),
- HIPAA.
Privileged Account Management (PAM) tools help enterprises keep track of who is logged into a privileged account at any given time and produce access logs. One way this software works is: an administrator logs in to the PAM software, and it then logs in to the privileged account they want access to. The privileged account management product grants privileged user access to privileged accounts [1].
Links to articles on PAM, [1] Burton Group Identity and Privacy Blog, KuppingerCole, Information Security Magazine.
3) Privileged Account Management on the Social Web.
Increasingly companies have privileged accounts on the social web. Dell computers has several for different purposes. Virgin America, (they link to the account from their website - thus "validating" that this is their real account), JetBlue, Southwest Airlines, Zappos CEO, (employees who twitter), Comcast Cares (Frank Eliason) (interestingly comcast on twitter is blank).
Twitter is just the tip of the iceberg - there are also "fan pages" on Facebook for brands. Coca-Cola, Zappos, NYTimes, Redbull, Southwest, YouTube Channels, Dunkin' Donuts, etc, etc. on thousands of other platforms and yet-to-be-invented services.
These are very powerful accounts - they are managed and maintained by many employees around the clock and are the public voices of companies.
I have yet to see or hear of any software tools to enable enterprises to manage Social Web privileged accounts. How are companies managing access by multiple employees to these accounts?
Is there software that does this yet?
Is anyone working on these kinds of tools?
Leave your comments here or tweet with me @identitywoman
Related posts:
Unconference.net
Interesting question. Is there a reason traditional PAM solutions wouldn't help with social web apps?...I would've assumed they can handle these the same as any other apps.
Oh, and apps like Chatterbox should help. I actually think it's preferable to have individual contributers rather than a master account - I think that approach is more in-line with what will be effective in social media. Chatterbox would allow multiple support reps to monitor, share, discuss internally and post from a single Twitter account.
Specific to Twitter, I like HootSuite. I just upgraded to version 2.0, which came out this week. 2.0 didn't really change much in regards to account management, which was already good, but the interface is more TweetDeck like, yet within your browser. As you are really managing HootSuite accounts, the Twitter Account credentials are not given to users, yet HootSuite allows one access to post to Twitter Profiles, based upon how accounts are administered in HootSuite. You can checkout their video tour http://ow.ly/iBUh of 2.0.