Recently I took the family to the local high school to see their spring musical, “How to Succeed in Business Without Really Trying.” The guys in charge of staging these things are geniuses. The band was phenomenal. And the kids, especially the lead, were amazing. I really expect him to go places.
It’s a very old Broadway show that was turned into an excellent movie decades ago. The gist of the story is that a guy named Finch worms his way to the top by being clever, sneaky, sometimes deceitful. But he doesn’t really have to work at the process, but rather creep around it.
I more than occasionally run into organizations who try to do the same thing while aiming at security, compliance, or converting from one security platform to another, or multiple others. Part of the problem is the bottom-feeding portion of the vendor community that tries to sell its wares by telling potential clients that the answer to compliance, for example, or role management, or Segregation of Duties (SoD) is to install their crap and BOOM – they’re done. Well, obviously it’s a lie.
For example … there is NO magic bullet product that can create SoD policies on your applications for you. There are libraries out there, built on best practices, for the most common business apps, such as Siebel, Peoplesoft, SAP, etc. These templates can be digested by various enforcement tools, but YOU still have to put them in their proper place.
There is NO magic roles product. There are solutions out there that will help you discover and refine inherent roles, but certainly not create them from scratch in perfect condition. Oracle Identity Analytics, for example, can help not only with roles, but also with the anti-roles, namely SoD.
There is NO magic compliance tool. Compliance with just about any regulatory set of requirements means having to improve your processes as well as your IT solutions. It’s not just installing a piece of software. PCI compliance means putting in place policies and solutions across database, infrastructure, identity, and other aspects of your systems.
It ALL takes work. You need to prioritize, then create a plan, acquire the human and digital assets, then build, test, and execute. You might get outside help, but the liability is still YOURS. So no matter what, it’s WORK. Sound hard? Well, you balance that work against lower productivity, lower user satisfaction, higher help desk costs, higher audit support costs, and the really big one, RISK.