Identity and Access Management Framework Book

I might have written about this before, but in case I haven't ...

I was with a salesguy a while back, a very, very smart man, which is hard to say when you hang around salesguys as much as I do. They're all kind of shifty looking, don't make a lot of eye contact, and they make you eat Panera Bread a lot. That's because Panera makes very handy boxed lunches that are easily packed into big bags, and it's all very easy to carry. I like Panera, don't get me wrong. My wife loves the soup they make in the loaf of bread. But man, I eat a lot of Panera. Every single meeting, there it is. 

Anyway, I digress. We were at this meeting, discussing database security, and the deputy CISO introduced us to his consultant, who was in charge of their DB sec initiatives. We talked about encryption, and then data masking, and then I asked about their strategy for battling SQL injection. Oracle has a killer DB Firewall for that. The consultant looked at us rather strangely, and asked, "SQl what?"

A guy who's in charge of db sec, and he didn't know what SQL injection was. I very politely, and without getting violent, explained to him what SQL injection is, how it's the hack du jour, how all the possible ways a bad guy might chop his way into your system are only the precursors to SQL injection, which is how the data, once uncovered, is finally harvested. 

Back in the rental car, the salesguy and I had a conversation that basically went like this: how do I get one of those jobs, where I can chage maybe $200 an hour to not know my subject? Being in charge of DB sec without knowing SQL injection is like saying you're in home security but don't know what a lock pick is. 

"Security" is a very broad subject, which is why there are so many specialities. I'll admit, I am a bit of a generalist, although I can get pretty darn deep on a lot of security subjects. Identity governance, compliance, audit support, authentication, authorization, fraud detection and prevention, single sign-on, social and mobile security, certifications, and THEN we get to database security. 

Encryption, data masking, data labels, SQL injection, segregation of duties, audit trails, etc.

It's a lot to know. So how do I know it? Well, for one thing, I'm old, so I've had the time. I also retain a lot of facts, which is why I'm a whiz at crosword puzzles. But my version of SQL injection, the way I harvest the data, is that I READ. I take the time to educate myself.

Is this stuff utterly fascinating? is it white knuckle reading? HELL no. But it's what I do for a living. And security is definitely a lot more interesting than a whole LOT of "security" subjects out there.

If you don't know your subject, if you're in charge of any aspect of security at your organization and you don't understand the threats and the possible solutions, then you are WORSE than not helpful. You yourself represent a risk. Because somebody in the chain of command is depending on you.  

I'll be speaking at Oracle Openworld next month, and looking forward to it. I don't drink much on the road, but I always EAT too much. One night at last year's OOW, I did three dinners in one night, because of the customers who wanted to meet up. One of my customers is presenting this year.

WHY do people come to OOW? Because it's a chance to LEARN. And there's a lot to learn. When you can attend an event like that, take the opportunity. But sure, it's not cheap, and you have to get the time off to do it, unless it's part of your job. Alternatively, take the time to READ, to LISTEN, to LEARN. 

Every time something new gets invented, some jerk figures out how to corrupt it. The internet is a wonderful thing for personal and business and social interests. It's also a super highway for creeps and crooks. I always say, if some smart geneticist bred a goose that laid golden eggs, the following week somebody would weaponize it. We have to at least try to stay one step ahead of such people.

Read, listen, learn. Your organization's well-being, and your job, may very well depend on it.