Identity and Access Management Framework Book

I recently attended a CISO forum in Texas. The food was great. George W. Bush was speaking nearby, and shortly thereafter, a veritable horde of GOP donors came streaming through the lobby. There were lots of large old men escorting blonds half their ages. It was actually hilarious.

But wait, I digress. One of the speakers was the CISO of a gargantuan global food company. He said that every year, his company has to decommission literally hundreds of thousands of IDs. Hundreds of thousands. It’s inconceivable to me to work at an organization that large. That’s probably why I’ve been at so many startups.

After my last move, I was shut down from a variety of services fairly quickly. But some things stuck. Not that I took advantage, but it was amusing. I logged into a couple of things just to see if I could. I even reported them, and still they didn’t take care of business. It’s nuts. Had I been a nefarious, scheming, opportunistic scumbag, instead of just a run of the mill jerk, I could have done some damage.

This is why Jesus invented attestation. At least I think he invented it. Anyway, something or somebody has to periodically review who has access to what. It helps to compartmentalize it, so that managers who are familiar with their people can make the decisions on these things. It’s that time of the year, or the month, or the business cycle, so send me a list of everybody under me, and I’ll review who should and shouldn’t still have access.

Maybe I own an app. Show me who’s got access to it, and I’ll figure out who to give the boot to. Or maybe I’m just the admin, I run the servers, so I don’t make the business decisions regarding who has that access. So send the lists to the managers who own those users.

I worked with a role management tool for years and competed with Vaau. Then Sun bought them, and the competition got more fierce. Then while with Oracle, I saw them buy Sun, and the old Vaau product became the new role management component in the Oracle identity stack. It’s got a great attestation piece to it. But any great tool is only as good as the data and/or policies you feed into it.

So this is the crux of it: you have to decide on those policies. You have to decide how the thing’s going to work. But too many organizations don’t make those decisions. They think things just happen. I can provision and de-provision. And sure, that works, but only manually. I visited a manufacturer once where all provisioning was still manual. No workflow, no connectors, just fat fingers. Wow. In this day and age. I have no idea how an outfit like that passes an audit. They even joked, “Don’t tell our auditors.”

Productivity is an important thing. You want people to be enabled. You can waste time and effort when users can’t use. But even uglier is the other end of that spectrum, when users have stuff they shouldn’t have. An ex-employee or ex-contractor, especially a disgruntled one, can hurt you badly when he or she can still get to a resource without accountability.

POLICY. Make sure you have a POLICY. “Every month, manufacturing reviews all access. Every other week, accounting does their review.” And so on. Before really bad crap happens.