Identity and Access Management Framework Book

There’s a really lame old joke about two shoe salesmen who travel to Africa. The first one comes back and tells the boss, “It’ll be a great market for us. Nobody there has any shoes.” The second guy tells the boss, “That will be a lousy market for us. Nobody there wears shoes.”

I ran into this in real life a couple of times. A couple of years ago, in Quebec, I left a meeting with two sales people who argued all the way to the airport. He said, “We’re in great shape. They have a partner in there who will want the work to install our stuff.”

SHE said, “It’s a terrible situation. The partner will want to build, so they won’t want the customer to buy.”

The second time I ran into this was upon leaving a meeting in St. Louis, in which the security crew at the customer didn’t know how LDAP really worked, what groups or queries were, what a bind was, etc. The sales guy told me, “We’re in the driver’s seat. We can sell them anything. They don’t have any security, and they need somebody to lead them by the nose.”

I disagreed. “There’s no way they’re going to spend a bunch of money based on our say-so,” I explained. “Somebody in that food chain will want some answers before they write a check. I believe they won’t make a move until they know what they don’t know.”

And twice since this summer I’ve heard a variation on this one:

“We don’t need additional security. We’ve never been breached.”

“Never? Hmm. How do you know?”

“We’ve never seen it happen.”

“Are you watching for it? Do you know what to look for?”

“We haven’t needed to. Like we said, we’ve never been breached.”

Sometimes you don’t know what you don’t know. And what you don’t know might be killing you. A couple of years back, a huge retailer didn’t know what they didn’t know, and in the meantime a sophisticated hacking ring had used a multi-layered hack, a massive Advanced Persistent Attack, to penetrate just about every corner of their IT operation. Very costly, very embarrassing. And in the past year a gaming company lost millions when they were literally brought down for days.

It’s not always apparent where to put up a defense, or what policies to build. You can put up every kind of defense, sure, but this can lead to two issues: the possible big hit on performance, and keeping out people you want to let in. You also don’t know WHERE you’re necessarily getting hit. On the front end, I employ tools like the Database Firewall, or Adaptive Access Manager (both Oracle tools) to see how people are coming in, and possibly deflect them or otherwise send out the alerts over possible malicious activity. On the back end, I use things like Audit Vault to let me know that things have happened after the fact (in what’s called near real time) so that I can examine those activities and figure out possible changes in my policies.

It’s common with Adaptive Access to set it up as a monitor-only, watch for a few weeks, and build policies based on common usage. You determine your risk level, and defend accordingly. But again, the point here is to learn what you don’t know. Knowing what you need to know is 90 percent of the battle. You can’t fix your problem unless you know you have one, and then have the will to act.

For our recent anniversary, my wife and I went for the first time to an excellent little restaurant called Scapa, in a little burg called Clarendon Hills, Illinois. The food was excellent, the service was great, and when my wife none-too-subtly let it drop to the manager that it was our anniversary, he bought us tiramisu for dessert.

Shortly thereafter, I was in Detroit, and got the airport late for my return home. As I walked up to the security line, my heart sank; it was HUGE. I had no status in that particular terminal, either. But I boldly asked the lady with the badge around her neck, “Is there a priority line?”

“Yes,” she said, “right here.” And she opened up the little rope and let me in. I don’t believe I was meant to be there, but I took it. Fine, so I’m a scumbag. That little bump saved me TONS of time, and I showed up at my gate just in time for early boarding. It’s good to have privileges.

Whenever I’m seated in an exit row and they ask if I’m qualified, I always say, “Yes. Throw the switch, open the door, inflate the slide, and be sure to yell Wheee! all the way down.”

In the Detroit airport this fall, got to the security line, and it was HUGE. I asked the lady standing there, is there a priority line? She asked if I was priority. Well, yeah, on a particular airline, I said. She just thumbed me along, not wishing to put out the energy to check. This saved me TONS of  time. So then I got early boarding at the gate.

But the misuse of privileges is a massive issue for many organizations. I was in the frozen north recently for an outing in which a room packed with the customer’s HR, provisioning, help desk, and database personnel horrified me with their lack of documented procedures. They had a limited number of DBAs with every privilege in the world. They had service accounts that were never monitored or attested to.  

The traditional take on DBA’s has always been, they can do anything they want. Well, why? Let them create or alter tables, apply patches, size resources, etc. But why should they have access to actual business data?

I talk to orgs all the time who say, we only have three, four, five DBA’s. It’s not worth the hassle of deploying tools to monitor or limit these guys. I say, it’s all the more reason. These guys constitute a huge potential liability.

I pitch things like Oracle Database Vault, for preventive protection. You’re the DBA? Do your job, and no other. Service account? Who says it should have every right in the world? Limit it to the realm of data to which it belongs, like Peoplesoft, or SAP, or eBusiness Suite. And service accounts should never have the privileges of a DBA, like the ability to ADD or DROP tables.

Hand your builder a hammer to help build and maintain your structure. Don’t give him a sledge hammer to potentially knock it down.



The Chicago River is a beautiful thing. Some architectural jewels line the thing. It’s a blast to eat at a café overlooking the water. When I come out of Union Station after riding the train downtown, I come out on Adams Street and immediately cross the bridge and the view in either direction (but especially north) is fantastic.

You can actually grab a water taxi to get from one end to the other, which, at the right time of day, can actually be a good thing. There are sightseeing boats. And there are rentals.

The city is building additional boathouses with canoe and kayak rentals. THIS is where it gets funky. The bigger boats create large wakes, and they have  to watch out not only for navigational hazards but also smaller craft. And sometimes the kayakers act like folks in little cars who zip in front of trucks.

Not all the smaller craft guys are dummies. But I’ve seen them do some pretty dippy things. They get too close to the large wakes, which can flip them over. They ignore the very loud horns and risk getting plowed into. They don’t do this professionally or on a regular basis, so they don’t take the same precautions that the big boat captains do.

Many states require you to take a safety course when you buy a gun. In Illinois, a teenager must drive forty chaperoned hours during the day and an additional ten hours at night before they can get a license. But kayakers get nothing more than a paddle and a couple of tips before they hit the water.

It almost seems like when you register a domain, you should have to certify that you understand the risks. Because you’re a risk not only to yourself, but to others, if you aren’t secure. And if you’re launching your internal apps, through which your employees, customers, partners, and vendors interact, you are a risk to them.

Policies; how you will secure things

Policies ; terms of service; what you expect of your users

Policies; reflect security, corporate, customer, audit and regulatory requirements

Policies; what you expect of vendors, hosting services, etc.

Policies; how you intend to create, enable, and monitor users and their activities

Don’t be a kayaker on the choppy river of online commerce. And watch out for those really lame metaphors, too.

Being a parent means worrying a lot. Early on, you can control all the risks. This means keeping the basement door closed so the toddlers don’t crawl down the stairs headfirst, and not leaving your beer on the coffee table. The older they get, of course, the more risk is out of your hands.

I let my kid drive places, increasingly far from home, and at odder hours. For work, to hang with friends, stuff with school. It scares the hell out of me every single time. I trust my very intelligent, resourceful offspring. I just don’t trust the rest of the universe, which is full of devious, stupid, drunken, boneheaded, and otherwise mouth-breathing hillbillies.

But this is how your children learn, and grow. You assign a certain amount of trust, and you learn from what goes right and what goes wrong. And even after you learn everything you need to learn, bad stuff can still happen.

You can’t just say, this activity is assigned this risk score. There are SO many variables. Driving to school is one thing. But if it’s foggy, or icy, or dark out, or a special occasion when more drunks are on the road, these add to the calculation. The absolute safest thing is to say, “No. Just stay home.” But obviously this kills the interaction, and earns me the death stare and the question, “Am I in your will?”

It’s the same thing with IT security. Put all your data on a single server, don’t plug it into anything, and nobody can hack it without a thumb drive. But then your customers, partners, vendors, employees and other interested parties can’t interact with you to generate revenue.

You can turn on absolutely every single security protocol there is, but it would slow things up considerably. El Al, the airline for a country literally surrounded by enemies, has a great security history. The price is lots of searching and lots of questions.

I’ve been dealing a lot with adaptive authentication lately, including Oracle’s version, OAAM, and one of its competitors. These are great tools for calculating risk based on multiple factors, not just a flat score assigned to particular resources. Sure, the resource itself may have a risk score, but that’s just one of the items to consider when calculating the risk of a TRANSACTION, and deciding how to respond.

“You want to look at employee salaries, and you’re the HR person, and it’s 9 am on a Monday and you’re inside the firewall? Okay.”

“You want to look at employee salaries, and you’re the HR person, but it’s 7 pm on Monday, and you’re at home? Well, okay, but maybe I’ll ask you your security questions.”

“You want to look at employee salaries, and you’re the HR person, but it’s midnight on a Saturday, and you’re on a mobile device? Forget it. And by the way, I’m automatically opening up a case and sending out alerts, you scumbag.”

That’s why it’s called Adaptive Authentication. It has to adapt to what’s being asked. Who you are, what you’re asking for, when you’re asking for it, and from where. It might also look at what you normally do. A great use case for AA is the guy working for an American electronics company, but out of an Asian unit. He normally downloads a handful of engineering specs a week. But on a weekend, he’s downloading THOUSANDS. AA shuts him down and sends out an alert. Turns out he’s changing jobs and taking some IP with him.

Quite often, dedicated employees do lots of funky work at funky hours, even on vacation. I took my box to Niagara Falls. It happens. This is why you want your system to take into account ALL the possible factors, then employ the policies you’ve set up for every occasion to calculate the risk of the intended action and then do one of the following:

1)      Allow

2)      Allow after additional info is requested

3)      Allow after additional info is requested but still send out an alert

4)      Disallow

5)      Disallow and alert because obviously somebody’s attempting something really bad

By the way, OAAM can also operate off historical data. Do you normally make these kinds of requests? Do other people in your group or at your location do so? If not, is this a higher risk? If it’s going to be a regular thing, do we adjust what’s considered the norm, going forward?

NOTHING is ever totally safe. It’s called risk for a reason. But you’re in charge of security for an even better reason, right?

Having been through all the major (and many, many minor) airports in the USA and around the world the last three decades, I’ve experienced just about every travel annoyance there is. I’ve seen my laptop shot out of a bomb-sniffing machine like a bullet. I’ve been held up by people making jokes about having ammunition in their luggage. I’ve seen morons actually walk through a detector while on a cel phone.

Lately I’ve been highly frustrated by body scanners. I took the family to DC for a vacation this summer, and we ended up in the wrong line. Instead of the metal detector, we ended up in the scanner line. The TSA folk clearly didn’t know how to deal with it. They ran certain individuals through it multiple times, and the line grew ever larger.

And then every single person who got body-scanned ALSO got asked on the other side if they had anything in their pockets. And THEN they got frisked, every single time, ANYWAY. So what the hell is the point of the scanner? WASTE OF TIME.

So here you’ve got a layer of security that is essentially negated. It’s one thing to have overlapping security, but when you’re ignoring the results of one of them, all you’re doing is adding to your bandwidth.

On one occasion at Heathrow, I was scanned, frisked, then scanned and frisked again. My bags were searched. This was the week after the original liquid bomb scare. You could say this was justified, except  that at the end of this chain of events, I was led down an escalator with my fellow Chicago-bound passengers, where we ended up on the street awaiting a bus to take us  to the plane on a faraway tarmac. At that point we were on the curb again, ostensibly contaminated, and negating all that searching.

Observing behavior, checking for one ways bought with cash and/or with no checked luggage, scanning and checking ID, that’s all good, but it has to integrate.

Oracle likes the term “defense in depth.” I authenticate users, I authorize all their actions, I verify that the users’ sessions are authorized to access the lower-level calls and even the data.

Defense in depth is a good thing. Why check database level rights if you’ve already authenticated the user? Well, legit users may still do illegitimate things. Illegitimate users can make use of legit credentials. There are all sorts of reasons to validate at different levels. But all those levels have their purpose. So while it’s good to validate my ID against my boarding pass, and then to scan me, don’t bother scanning if you’re going to feel me up ANYWAY, regardless of the scan results.

Another funky thing about the body scanner was the pure stupidity of the people going through it. With metal detectors, you can still go through with your wallet and hankie. With the scanner, they tell you to have nothing in your pockets  whatsoever. The scanner at least caught this much, and the TSA guys were saying, “Nothing. You can have NOTHING in your pockets.”

“But it’s only my wallet.”

“But it’s only a couple of dollars.”

“But it’s only a chapstick.”

“NOTHING. We told you NOTHING.”

Sarah Palin’s Yahoo email was hacked by somebody who clicked the forgotten password link and answered her three ridiculously, easily Googled questions. You cannot depend on people to act in their own self-interests when they are lazy or stupid. Plenty of people have foolishly simple security questions, or ridiculously simple passwords. Many still click on phishing links.

If either the scanner or detector was perfect, we’d only use one. People only get one or the other as it is. IdM may not have it perfect, but I think we’re still way better off than the TSA.