Identity and Access Management Framework Book

As part of my job, I often sit with customers in their meeting rooms, at long tables and at the whiteboard, figuring out where they’re at, and where they need to be. We discuss their business processes, as well as their security, corporate, and compliance requirements around those processes. We inventory their digital and human resources, and how these interact. Employees, contractors, partners, vendors, suppliers, the applications they touch, and the roles they touch them with. Databases and directories. What they need to secure, and to what degree. Which users should be able to access which resources. Which regulatory needs must be met. What reports are needed.

Quite often when I’m doing this, there are personnel from the customer who barely know each other, or only speak regularly via email. Another fairly regular occurrence is the fact that various corners of the business are unaware of what other corners are doing. There’s all sorts of redundancy in user stores, processes, provisioning.  

One of the mistakes made by even CIOs and others charged with maintaining an organization’s security posture is the failure to perform the most basic task: take inventory of the environment. They don’t know what they don’t know. It’s sad that it takes a visit from a vendor to prompt this exercise. Ideally, I should walk in and be handed a list of people (with their categories and roles), the directories they live in, the methods they authenticate with, the policies that authorize them, the applications they’re authorized for, the dashboards that govern the whole mess, and the reporting that comes out the tail end.

That inventory of assets and plumbing is the foundation for everything. If you don’t know what you’re protecting and who from and based on what, then you’re up a creek. ANY application or database that comes into VIEW should come into SCOPE. Homegrown or vendor-supplied, it needs to be included in the inventory.

Case in point: Years ago I visited a school where they regularly did data extracts. For purposes of chronic studies, analyses, departmental reports, and other odds and ends, they pulled data on students, finances, faculty and staff. These extracts were sitting in all manner of folders and hard drives all over the place. There were no controls on who could create them, who could access them, or where they ended up once they were created. The organization knew these extracts were a potential vulnerability, but never had the will to do anything about them. And despite knowing this, it wasn’t until I was on their premises and started drilling down did they begin a larger inventory and discover just how many of these extracts existed.

In the American utilities space, the organization known as NERC enforces regulatory compliance on water and electric providers. The very first and very wise provision they mandate is determining those assets and creating the perimeter around them.

Once you have that inventory, you can also start correlating a couple of other things. Different apps run on different roles. Can you create enterprise roles that encompass those more provincial roles, for universal provisioning? And can you now create authentication policies for universal, or at least reduced, sign-on (SSO)?

You can’t fix it if you don’t know it’s broke. And you can’t secure it if you don’t know you have it. If you’re the person in charge of security, then you must be the authoritative source on what you own, and what you’re going to do about it.