Identity and Access Management Framework Book

Years ago, I had a buddy who worked at an exchange. He was one of those ninnies who stood in the trading pit, screaming at the top of his lungs, buying and selling commodities. Open outcry, they call it. Open sewer, I called it, after meeting some of his sleazy colleagues, and watching from the gallery how barbaric capitalism can be.

Most of the traders had little or no college. Several I met hadn’t finished high school. But they could make ungodly amounts of money. All they had to do was stand shoulder to shoulder with a bunch of other soulless scumbags and scream, all day long.

Since there was no schooling or real training involved, I asked, how the hell do you get INTO this? My buddy told me, it was all about connections. He got into it through his uncle, who at one time had been a heroin addict. No kidding. The uncle had gotten in because of somebody else he knew.

I sometimes wonder about IT managers. I get asked some of the dumbest damn questions by security guys, and I wonder, “You make a lot of money doing this. Does your aunt own the company? Do you have naked pictures of somebody? Did the CSO lose a bet? Are you considered a charity case? You don’t seem to know anything about security, so I was just curious.”

At one joint, the security manager told me at the start, “We’re a Microsoft shop.” They had hordes of ungoverned AD groups, completely unsecured Sharepoint deployments, and they hadn’t passed a single security audit. Yet his burning desire was to implement SSO, for the sake of convenience.

“Okay, let’s talk about SSO,” I conceded.  “Does this mean web SSO?”

“What do you mean by that?” he asked.

“Browser based.”

“Oh. I guess so.”

I asked him about fat client SSO. He wanted to know what a “fat client” was. I mentioned client-server. Oh, that started a whole other conversation.

What he wanted by way of SSO was to log into a desktop, then move seamlessly to their cloud vendors. I said, “Oh, federation.” Which he’d heard of, but couldn’t really define. Just for laughs, I mentioned SAML. Deer in the headlights.

I asked, “How do you log in right now? What’s the mechanism? The interface?”

He replied, “Uh, just Windows.”

I asked, “Okay, just the Windows GINA?”

“GINA?”

This guy was in CHARGE. Holy crap, he was in charge. Now a software sales guy (meaning a guy who should have a pimp for an older brother, so he’ll have somebody to look up to), will say in a case like this, “These guys know nothing, I can sell them anything I want.” But from my experience, folks who are completely ignorant at least know what they don’t know, and will spend a lotta time getting educated before blowing a big chunk of budget. Therefore, stupid people take even longer to sell to.

Luckily, the vast majority of the time, security officers are intelligent, experienced, and know what questions to have. At the very least, they’ll be able to define their own inventory of pieces, including their missing pieces. Just like I married a smart woman, I’d much rather sell to smart customers.

Like my neighbor once told me, “I love my nephew to death. But I’d never HIRE The dummy.”

I think the issue is that security is a broad subject. Whenever recruiters call, they always say, “I’m looking for a security guy.” And I ask, “Do you mean network/perimeter, app sec, firewall, identity, authorization, compliance? Can you be more specific?”

So if you’re going to put somebody in charge of identity, make sure their background isn’t strictly tokens or firewall or some other niche. Identity and access should be their own specialty. It’s your enterprise, your identities, the keys to your assets. Don’t trust it to somebody who knows algebra, hoping he’ll pick up geometry on the job.