Identity and Access Management Framework Book

I do a lot of security assessments. I go into a customer, sometimes with a colleague, and we ask a lot of questions. We inquire as to their current security capabilities, their security concerns and desires, the deltas, the resources they have available to implement solutions to those deltas, the ways in which they would like to improve their processes, their compliance / audit requirements.

One thing that never fails to amaze me is the number of customers with processes that befuddle them. They’ve inherited certain assets, requirements, and processes that mystify them, frustrate them, expose them.

They often speak of these things as if they are out of administrative control. They have way too many Active Directory groups they’re stuck with. They have service accounts whose creators are long gone from the organization, and they’ve never been tracked or reviewed.

So what’s the answer? Take freaking control of your system. You own it, not the other way around.

The first part is political. Somebody in the security group needs to make the bold statement that you don’t care what department created something. That something must be tracked, must be MANAGED. Target accounts must tie to actual users. Service accounts must be periodically certified. The activities of those service accounts must be audited.

These things get out of control in the first place usually because of 1) volume or 2) legacy reasons. “It was here when I got hired.” Okay, understood. But if you’re in charge of security and/or compliance, then it behooves you to be in charge of these things.

One cool thing about a proper compliance-support tool (like Oracle Identity Analytics) is the ability to quickly acquire and manage info about accounts, groups, entitlements. And I you THINK you have some rogue accounts, orphans, zombies, redundant groups, improper assignments, then run a certification. Define a process and assign the certifications to the appropriate managers. The first time through, it’s messy, but after that it’s completely manageable. Get a handle on those objects, those people,

Then once you’ve completed this cleanup, enforce the rules going forward. You may NOT create an AD group off the top of your head. You may NOT create a service account and launch a non-manual process without governance. You may NOT randomly assign target system entitlements without approvals. And if you DO any of this stuff, it will be caught by reconciliation or certification ad you will get spanked.

Be the man. Or the woman. Or just plain person. But BE it. Take charge. And then tell somebody to fix you a sandwich. It’s good to be the king.