Top
Navigation
The Black Book of Identity Access Mgmt
This form does not yet contain any fields.
    « Who does IAM truly benefit? | Main | Lock down everything and EVERYBODY »
    Monday
    Jan242011

    IAM protects your data and IS your data

    DateMonday, January 24, 2011 at 08:48PM

    When you first slap together an IAM framework, it’ll be perfect. For about a week. Then you’ll start saying, ah crap, I forgot this, and that, and the other thing. It’s kind of like life, marriage, painting the garage. This is why you have policies that can be changed centrally, this is why you have software (eg. OAAM) that can learn from activity and help you fine tune, this is why you have audit trails to tell you what you missed so you can plug the next set of holes.

    So let’s consider these for a moment. That same IAM toolset that’s making sure the people who log in are exactly who they say they are (reminds me of a rant by the Arizona Cardinals coach from a few years back), and which gives them access to ONLY those things they’re allowed by virtue of their roles, attributes, or shoe size, is also GATHERING information as it does all this. Who asked for what, who got what, who was refused what, and so on.

    The data that tells you who normally gets things on a granular basis is the same data that helps you build roles. If you and I and that hairy guy over there all do approximately the same thing for a living, and we use approximately the same resources, then we might just share a virtual role giving us access to those resources. But if I start doing things a little differently, such as doing more of my job from the road (as evidenced by the IP address(es) I come in from, or I start doing more work outside of normal business hours, then either my role, or the policies that govern my role, or the exceptions to the role, may need to change.

    This is why your IAM framework must do an excellent job of auditing. It’s not just for forensics or security recaps. It’s also for fine tuning. If you CANNOT run a regular report that tells you who asked for, received, was refused resources, then you’re missing half the value you should be getting, and you need to fire the guy who bought the access product and beat your vendor with sticks.

    If your framework, on the other hand, protects your innards without telling you simultaneously how to do it better, then it’s like what Homer Simpson says about beer: it’s the cause of, and the solution to, all our problems. Make sure your framework is all solution, and no cause.

     

    

    AuthorJeff the IAM Guy | CommentPost a Comment |
    tagged

    PrintView Printer Friendly Version

    EmailEmail Article to Friend

    Reader Comments

    There are no comments for this journal entry. To create a new comment, use the form below.

    PostPost a New Comment

    Enter your information below to add a new comment.

    My response is on my own website »
    Author Email (optional):
    Author URL (optional):
    Post:
     
    Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

    Notify me of follow-up comments via email.