Identity and Access Management Framework Book

I was recently at the Scranton, Pennsylvania Hilton. No, I didn’t see the guys from The Office, so stop asking, like everybody else asked. While sitting at the bar late on a Sunday, having a Stella and trying to recover from my ride in through a thunderstorm, I listened as two Texans kept hitting on the bartender and describing to her what it meant to “do a stuntman,” which is some feat of saloon manliness. This apparently includes snorting some salt, drinking Tabasco, and sticking a lime in your eye. I suggested they’d be better off calling such an act “doing a dumb****.”

Anyway, the bartender, a lovely young thing, asked what I wanted for my late dinner. “A black and bleu burger,” I responded.

“How do you want that, well or medium well?”

OH, how nice. I’m like Ulysses Grant, I like my meat cooked dark. It was such a nice question to answer. And the burger came exactly as I wanted it.

When you implement a piece of software, you want it to run your way. Not like Windows does. I mean, you don’t ever really own a Windows  box; it owns YOU. It runs when it wants, it kills processes when it feels like it, it installs updates and reboots if it gets itchy, and it welcomes in viruses like long lost cousins with money.

Sorry, I digress. With a tool that gets installed with setup.exe, you get what you get. But enterprise software is an investment, and personalization is the least you can ask. Your identity management portal shouldn’t say, “Welcome to MegaSoftVendor.” It should have the name of your organization, and a happy face, maybe a puppy, followed by text boxes asking for name and password.

Customizing Oracle Identity Manager has usually meant doing work in Struts. But with the advent of ADF, you have a platform for making some pretty amazing GUIs. Figure a couple of weeks just to do the branding, y’know, your colors and logo, which is style sheets. But then you get into the functional stuff. Moving around tabs, changing menus, merging or even splitting up screens. No matter how functional a package is out of the box, customers always want it to mimic their little quirks, or the stuff they’re used to, even if what they’re used to is STUPID.

I mean, I’ve seen some pretty screwy GUIs with convoluted flows that were built that way simply because some coder made it up and everybody just went along, and then they built their processes around that stupidity, instead of building the GUI around the processes.

This is why you build a plan around your business flow. How SHOULD things work? What kinds of screens are the most usable? How do I make people productive? How do I save on helpdesk calls, and make the portal so user-friendly that people WANT to use it, WANT to send emails to the boss saying how much they love the programmers, want to send me doughnuts?

OOTB is cheap and easy. But it doesn’t scream out “C’mon in, we’re here just for you.” It screams out, “We’re cheap and easy.”

Take the time, satisfy the stakeholders, and greet your users with a smile. And a puppy.

There’s a real tired old hack cliché stupid idiotic etc. movie plot that keeps getting copied over and over, and just about every time, it sucks. Two people standing someplace switch bodies. Hilarity is supposed to ensue, but usually doesn’t. Jodie Foster (yum) did Freaky Friday for Disney, and it was halfway decent. The remake with Jamie Lee Curtis (yum) was not. Sharon Gless and John Schuck did a TV show based on it in the 70’s. There were a few more. There’s a new one, the Change-Up, which appears to be the worst one yet. These closely resemble the other hack plot of old people being turned young for a time.

Can’t Hollywood come up with original stuff?

So now I’m utterly surprised that in this day and age, I’m still answering questions about “How do I clone the entitlements of one user to assign to another?”

WAH! Make Bob like Tom, we call that use case. And it’s a bad one.

One of my favorite true stories from the book is the insurance company in Ohio that let the old guys provision the new guys, because they knew where the bodies and the entitlements were buried. That’s not much of a foundation for provisioning policies.

Sure, it’s good to have a working model. You build a foundation for a set of entitlements, so that you have consistency, a set of policies that govern it, you already know who owns it and who assigns it and who approves the pieces. It’s called role-based provisioning. Then maybe add a few variations, perhaps even a couple of one-off entitlements. They’re called exceptions. Here’s your role, plus a couple of extras, all of it documented and duly governed.

But you don’t use another PERSON as your model. It’s like whenever I wipe my hands on my tee shirt, my kids all yell, “Bad daddy, bad daddy.” If you grab the entitlements of a current user and simply slap them on another user, you are a bad daddy.

Why? For several reasons.

First, you don’t know what else that model user has picked up over time. Sure, maybe he’s doing the new guy’s job right now, but maybe he’s bounced around over the years, and has some access rights you forgot about. Entitlement creep occurs when people keep old access after being granted new access. Nobody shut off that old stuff. It’s what attestation is all about. It’s also proper deprovisioning practice to make sure you only keep the stuff you’re supposed to keep, with all the old bread crumbs getting eaten up when you get transferred. You can’t look at receivables anymore because now you’re in payables, and it’s a conflict of interest, a segregation of duties violation. You can’t request payments and approve them as well. You can’t prepare the financials and be the one who signs off on them. Et cetera.

Second, what happens when the first guy goes away? Does that mean the second guy is now the model when you hire a third guy? Bad daddy.

Third, auditors will hate you. They will think you’re a nincompoop. “He got his stuff because this other guy had the stuff first? You moron.”

Fourth, users should get access rights for sound business reasons, and those rights should be governed in a sound business manner. “You were hired for this position, so we will grant you the proper role or roles for that position.”

Fifth, change management. Let’s say the virtual role changes. Do you go around to all the individuals who are doing that job and change their access? Bad daddy. Very inefficient. Better yet, with role management, you change the role, add or delete or change the entitlements contained in the role, and have your RBAC system automatically modify the access for all users who currently inhabit that role.

This is what tools like Oracle Identity Analytics (OIA) are for. Find those entitlements, create roles out of them, use those roles to feed provisioning, and by the way, occasionally attest to them to make sure people keep only what they’re meant to have in life.

Nobody should automatically be like somebody else.  I mean, sure, if everybody was like me, we’d all be better off. But I’m an exception.

Today I saw my kid off for the first day of college.

I’ve been blessed with two brilliant children. I don’t know how that happened. I mean, I’m married to a math teacher, and I’ve done pretty well in development and security architecture for over a quarter-century. But every birthday until my fortieth, my dad would tell me, “I can’t believe you survived this long.” And in high school I was voted “Most Likely to Die in the Electric Chair.” That’s not a joke.

Is my burning passion identity and access management? Is it what I live for? Well, in the realm of security, it’s certainly one of the most interesting arenas. App security is all SANS Top 25, network security is mostly hardware, database is a commodity. But IAM is something you can actually architect across an entire whiteboard, with plenty of variations.

But it’s primarily how I make my living. That’s what it is. In the end, we work to live, we (hopefully) don’t live to work.

We try to impart our wisdom on our progeny and hope for the best. I’ve taught my kids to question authority, to doubt extremists at both ends, to trust science more than conjecture, and to honor their commitments. But their intelligence has far outstripped what I thought they would achieve, as has their kindness, their general goodness, and their talent for sarcasm.

They’ve taken what we’ve given them and done so much more. They will do much more with all this and go way beyond my paltry IAM efforts. In truth, I am not worthy.

I’m a lucky guy. I hope all of you are at least half as lucky.

I really hate the movie Diehard. First off, it came out in a time when Bruce Willis was primarily known for smirking his way through roles. He had that crap band, he thought he was an R&B guy, and man, he sucked. Of course, this was the role that got him into Terry Gilliam’s “Twelve Monkeys,” so I cut him a little slack. And Alan Rickman is great in absolutely anything he’s in.

But what I really hate about it is the team of bad guys in general. They have a big crew. Some of them are computer geniuses. They have a ton of military hardware. So they take over a building in a very convoluted plot to make a bunch of money. It seems to me that with the budget they had for people and hardware, they could have invested that money for a while and come out ahead, instead of ending up dead or in jail.

This is also what bugs me about some of the big-time hackers.

As long as we make data available, unstructured or otherwise, it will be a target, and stuff will happen. Some of it is inexcusable (as I mentioned in my last post with regard to SQL injection). In fact, MOST of it is inexcusable, as well as preventable. Naturally, with every new defense comes a new attack. There are a lotta lotta lotta smart people out there who use their powers for evil. If they’re buried behind scrambled IP’s and their own country’s borders, the risk isn’t even that big. If they’re state-sanctioned (like many Chinese hackers are believed to be) then there is ZERO risk. The domestic guys, well, they’re just plain stupid. If they get away with big stuff, they can get caught, and they’re accessible to law enforcement. The Lulz Sec children are a good example.

“Come get us, come get us!”
“Uh, okay.”

Some of these guys get lucky. There are some kiddie hacks that still succeed. The aforementioned SQL  injection is a good example. SQL INJECTION. That still burns me. How can you NOT protect against that?

It's a lot easier to be a hacker these days. There are entire desktops and toolsets you can download to get up and going in a hurry.

But a lot of these guys are practically brilliant. The operation that hacked TJ Maxx was run like a small dot-com. It was very organized. People like that, particularly the head guy who’s now rotting in jail, could have devised a whole security company around the IP he gathered for the sake of doing bad stuff.

We’re obviously not motivating people correctly. Perhaps in some of these higher profile cases, Cell Block D will succeed where society has not.

I did some consulting at a place last year where the engineers all used a very popular cloud storage service. It’s a service I personally like as well, but when I found out that this group was storing customer RFP’s and other nonsense there, I highly recommended  they get that crap the hell OFF of there and store it internally. The service didn’t explicitly say, “Your stuff is safe here,” especially since for non-corporate users it’s free. The service said, “Here is the extent of our security. You’ll like it, but we make no stipulations.”

My stance at the time was, a SAS or other auditor would shred the team if they knew where sensitive customer stuff was being kept. “It’ll be fine,” I was told in a very dismissive manner. I did convince them to get certain kinds of docs off there, although internal docs still got uploaded.

Welllllll, a couple of months ago that cloud storage service was sued, because of a bug they introduced that allowed accounts to be accessed without passwords for roughly four hours on one particular evening. Ouch. I’m not saying to abandon ship on these guys. I still have customers who use them. I’m a little disappointed in them, in as much as they introduced the problem themselves. There’s a good chance that nothing in fact was compromised, but the window was certainly there. The service did the right thing by notifying all users whose accounts were accessed in that period (comprising less than one percent of their total base, although it’s still a lot of users). They took responsibility.

The cloud is the direction everybody’s heading. Outsource. Don’t run your own servers. Make everything you can an operating expense, not a capital expense. Make somebody else liable for uptime and upkeep. Oh, and security. But remember, it doesn’t matter how many things you sign, how many security stipulations your providers provides, how many references they have. If they allow a breach, and it affects your customers and/or employees, you will still be on the hook. You can’t point and say, “It was that damned cloud company that allowed our social security numbers out.” It will be somebody else pointing at you and saying, “You’re the idiot who picked them.”

So when you’re choosing that cloud vendor, first picture all the stuff YOU would put in place if you were hosting the platform yourself. What authentication and authorization mechanisms would you use? How would you protect against malicious packages (bad SQL, XML, SOAP calls)? How would you protect the data itself in the event somebody hacked through the DMZ?

Then ask your potential cloud vendor what their equivalents are. It’s their service, but your liability.