Identity and Access Management Framework Book

Having been through all the major (and many, many minor) airports in the USA and around the world the last three decades, I’ve experienced just about every travel annoyance there is. I’ve seen my laptop shot out of a bomb-sniffing machine like a bullet. I’ve been held up by people making jokes about having ammunition in their luggage. I’ve seen morons actually walk through a detector while on a cel phone.

Lately I’ve been highly frustrated by body scanners. I took the family to DC for a vacation this summer, and we ended up in the wrong line. Instead of the metal detector, we ended up in the scanner line. The TSA folk clearly didn’t know how to deal with it. They ran certain individuals through it multiple times, and the line grew ever larger.

And then every single person who got body-scanned ALSO got asked on the other side if they had anything in their pockets. And THEN they got frisked, every single time, ANYWAY. So what the hell is the point of the scanner? WASTE OF TIME.

So here you’ve got a layer of security that is essentially negated. It’s one thing to have overlapping security, but when you’re ignoring the results of one of them, all you’re doing is adding to your bandwidth.

On one occasion at Heathrow, I was scanned, frisked, then scanned and frisked again. My bags were searched. This was the week after the original liquid bomb scare. You could say this was justified, except  that at the end of this chain of events, I was led down an escalator with my fellow Chicago-bound passengers, where we ended up on the street awaiting a bus to take us  to the plane on a faraway tarmac. At that point we were on the curb again, ostensibly contaminated, and negating all that searching.

Observing behavior, checking for one ways bought with cash and/or with no checked luggage, scanning and checking ID, that’s all good, but it has to integrate.

Oracle likes the term “defense in depth.” I authenticate users, I authorize all their actions, I verify that the users’ sessions are authorized to access the lower-level calls and even the data.

Defense in depth is a good thing. Why check database level rights if you’ve already authenticated the user? Well, legit users may still do illegitimate things. Illegitimate users can make use of legit credentials. There are all sorts of reasons to validate at different levels. But all those levels have their purpose. So while it’s good to validate my ID against my boarding pass, and then to scan me, don’t bother scanning if you’re going to feel me up ANYWAY, regardless of the scan results.

Another funky thing about the body scanner was the pure stupidity of the people going through it. With metal detectors, you can still go through with your wallet and hankie. With the scanner, they tell you to have nothing in your pockets  whatsoever. The scanner at least caught this much, and the TSA guys were saying, “Nothing. You can have NOTHING in your pockets.”

“But it’s only my wallet.”

“But it’s only a couple of dollars.”

“But it’s only a chapstick.”

“NOTHING. We told you NOTHING.”

Sarah Palin’s Yahoo email was hacked by somebody who clicked the forgotten password link and answered her three ridiculously, easily Googled questions. You cannot depend on people to act in their own self-interests when they are lazy or stupid. Plenty of people have foolishly simple security questions, or ridiculously simple passwords. Many still click on phishing links.

If either the scanner or detector was perfect, we’d only use one. People only get one or the other as it is. IdM may not have it perfect, but I think we’re still way better off than the TSA.