Like much of the country, my area had local elections this past Tuesday. I haven’t missed an election since 1980, because I think everybody who CAN vote SHOULD. Leading up to it, we got hit up for our opinions, our vote, our front yard (for placement of signs). We received a robo-call from a lady running for the library board, and on this call, she read, very badly, from an index card. Not a ringing endorsement.
We were also hit on to vote for a particular individual who I personally think is full of it. I’ve heard him speak on a number of issues over the years, and discovered that he will tell you whatever you want to hear. I knew enough about him to know that I would never vote for him. There were other people running, of course, but I didn’t know enough about them to take a swag at them. There were flyers on our doorknobs, editorials, position statements in the paper, televised speeches, websites. But when you’re on two to four planes a week, it’s hard to keep up. And therefore it’s hard to make informed decisions.
But when you’re in charge of identity, access, security, and compliance, you can’t use that excuse. You MUST make informed decisions. And you need to provide justifications for your decisions. If you provide access to a user, if you provide entitlements, if you recertify somebody’s existing entitlements, you need to have all the necessary info in front of you.
It’s all about having all that info, right? So you want the info to be there, and you want that info EASILY RETRIEVED. I mean, you’ve always got the data someplace, but the trick is to have it handy. It’s a pain in the wazoo if you need to print a bunch of reports, correlate them, perform a ton of queries. Ouch.
Imagine you get a workflow-driven request to approve somebody’s access. And imagine it’s somebody you don’t know. You could make a bunch of calls, send some emails or texts, and then make the decision. Better yet, the system could instantly cough up what other entitlements this user has, his entire profile, his risk score. You could call up who else in the workflow chain has already approved it, or who else would follow you in the decision tree. This would let you make that informed decision. It would also, let’s be honest, be a little CYA.
And now it’s time to certify existing user access. Should the user in front of you keep his access? Should he lose it? Do you know enough about him to make any kind of decision?
Ideally, you would have immediate access to what else that person has access to. His roles. His entitlements. And once again, for CYA, you might want to know his certification history.
If there’s some question in your mind as to whether the user has the access legitimately, you might want to know how he got it in the first place. Did he request it? Did his manager request it for him? Was it given to him automatically by the system once he was entered into the HR system? Any of these lend to legitimacy. But if you can’t tell HOW he got it, it might be a clue that he backdoored into it. For example, he may have gotten membership in an Active Directory group via that poor man’s provisioning tool, the AD admin console. Big no-no. And maybe he SHOULD have the access, but didn’t get it the right way, meaning it’s poorly documented, so he needs to lose it, then come back in the right way.
This is one of the reasons I dig the latest version of Oracle Identity Governance. I can always access the information I need in order to make those informed decisions. It keeps me secure, it keeps me compliant, and most importantly, it keeps me out of trouble. I don’t want to elect village trustees who might set the town on fire, and I don’t want people having access they shouldn’t have because they might set the entire company on fire.