Identity and Access Management Framework Book

It doesn't take much to ruin a country's entire diplomatic posture, its sense of security, its standing in the world, its dignity. All it takes is two guys: one self-righteous guy to publish a bunch of secret documents, and another guy to steal them.

And this is Wikileaks. Mr. Assange feels that he's somehow making the world a better place by spilling a whole lot of secrets to which he wasn't entitled. While some of this stuff actually bears being submitted to the light of day, it turns out a whole lot of it is stuff that could set back efforts to fight piracy, fight corruption, push the North Koreans and the Burmese to the table, and so on.

Regardless of his motives, it took a willing accomplice, in this case a young simpleton in the military, with WAY too much access and not nearly enough supervision. He downloaded untold thousands of documents, then transmitted them to Assange. HOW did this moron get his hands on all this intelligence? How was he able to download so MANY docs and move them into the wrong hands?

Sure there are plenty of people who need access for one reason or another (although I kinda wonder why this 23-year-old dweeb was one of them). But it's not always just WHO you are or WHAT you are. It's also WHAT YOU'RE DOING. Think back to basic access management, like an OIM or a Siteminder. Policies match up id, origin, and request. Okay, so you could say that an access policy gives this goober access to these docs. But let's add that other dimension, HOW you're doing WHAT you're doing.

Is he allowed to download this stuff? Looks like it. Should he be allowed to download ALL of it? Holy crap, Batman!

At some point, you need to examine BEHAVIOR. Why do you care? How often does classified stuff fly off the shelves? No idea. But in the business world? All the time. Here's the business case:
Poindexter downloads five or six docs a week. Today, he's downloading dozens. Oh, and after hours. There's TWO red flags, in fact. Does he ever do stuff after hours? No. Does he normally download this kind of volume? No. Zzzzzzt. Something's wrong. Shut down his session and send out an alert.

Maybe he's got a perfectly legit reason for doing so. So you're interrupting him. He'll be back online soon enough, IF it's legit. But maybe he's leaving, and wants to take a bunch of IP with him to the competitor. Maybe he's being paid by industrial spies. Maybe he wants to start his OWN competitive business (I know a guy who did this very thing, and kind of got away with it). An old customer of mine monitoring for anomalies caught an employee downloading THOUSANDS of design docs (telecomm hardware), and discovered that he had less than good intentions.

There are various products out there that handle this kind of behavioral monitoring, in conjunction with the usual id-origin-time of day - request policy matchup. The one I've got the most experience with is the horrendously named Oracle Adaptive Access Manager, or OAAM. Pronounce the acronym phonetically, and it sounds like you've got gas pains. Anyway, you can put users into behavioral buckets, based on title, location, whatever, and when a member of the bucket acts in a way that doesn't fit the usual pattern, OAAM automatically shuts them down. If it's found to be chronic yet anomalous behavior, that user might get moved into another bucket.

Another cool thing is to just turn on OAAM and let it build those buckets. You don't know what you don't know, right? So let it monitor for a few weeks and  tell you what those patterns are, and then start applying those policies.

In the wake of Wikileaks, the US military is also banning flash drives and other removable media. There's a solution for that as well, but maybe we'll cover that next time. In the meantime, it's WHO, WHAT, from WHERE, and HOW. Sure, now we know that the president of Afghanistan tends to go off his meds, but did we really need to?