I'm schizo and so am I
Tuesday, November 23, 2010 at 11:33AM I recently visited a friend’s shop where they outsource a whole bunch of things. This is increasingly common, of course. They uploaded data and object code to a service. They also uploaded health data. They downloaded reports, and in one instance, they downloaded XML to plug into their own report writer. Their own customers uploaded data as well.
Sounds like business in the cloud, right? Well, yeah, except that they violated a basic rule. They pay for seats on their cloud vendors’ systems. Their customers paid for seats as well. But it’s all on the cheap. They want a couple of dozen users on each site, but pay for only three or four. This means what?
Account sharing.
Doesn’t sound like such a bad thing, except for the AUDIT TRAIL. If we all log in as John Smith, and one of us does something bad, which John Smith is responsible? How do we pinpoint the doer of bad deeds if we all use the same credentials?
It’s a sensitive enough matter that in my current organization, we get asked all the time about how strongly we secure customers’ data, and we are specifically asked in RFI’s about whether we allow account sharing. As well we should.
Identifying situations in which individuals are sharing accounts is not easy, although the Oracle Adaptive Access Manager (a great product with a terrible name) tries very hard to do so, looking for varying patterns of use within a single id. But even then, it's no walk in the park.
It’s hard to enforce policies, which entail accountability and possible consequences, if you can’t tell who to hold accountable. This means everybody should get their own name and password. If you’re only going to have one identity, then only one user should make use of it. That’s why it’s called an identity.
Nobody else has my fingerprints, face, credit history, or wonderful posture. I sure don’t want anybody else taking my credit, or my blame. And I’m pretty sure nobody else wants my face.
Reader Comments (1)
Love your articles.