Identity and Access Management Framework Book

Recently, I once again got into the debate over whether database security is identity related.

Database security has long been relegated to back room guys, away from the business. RBAC hasn’t been a part of that equation. And that makes it tougher, IMHO, to strike that balance between the need to secure data while simultaneous making that data available to those who need it.

Most often, user context doesn’t get you to the data. You pull up your browser, fill out a form, click Submit, then your data gets posted to a program that then hands it off to a web service which in turn makes requests on your behalf, with its own super-user context. Hijack that super-user, get all the data.

I blogged recently about the other debate here, namely do you want all your users to have their own database context. It’s potentially a lot of database licenses. There’s also the hassle of authenticating users directly to the database. There are solutions, like Oracle Enterprise User Security, that allow you to authenticate users to the DBMS via Active Directory or other sources.

Enforcing a single user context  in theory limits the amount of damage a hacker can do in a single session. I can bring back my own data, but not everybody else’s. The audit trail is definitely cleaner.

How dangerous is a rogue privileged account? Still plenty. By now you’ve probably heard of the LulzSec guys, who keep hacking major corporations, allegedly for their own amusement as well as to point out deficiencies in security. I’m not big on their notion of stealing and sharing data for the sake of scaring people into better security.

But here’s what really, really scared me about what they did. They hacked Sony with SQL INJECTION. In this day and age, they used an idiot’s hack. It’s the world’s easiest hack. There is no excuse for not defending against it. Holy crap!

Your inputs need to be secured against it. That’s the programmatic defense. But at the absolute foundation, you need to secure the DBMS itself against this nonsense. So here’s where you can

-          Install a database firewall that checks those inputs (eg. Secerno)

-          Employ a db-level firewall

Huh? What’s that second option? I’m thinking of something like Oracle Database Vault. In theory, no matter what you put in front of the database, somebody can peek around it. DB Vault is in place essentially within the database itself. You can create realms inside the database limiting the access between those realms, based on  -- HEY – role. You can also limit the types and scope of SQL commands. None of this “SELECT * FROM BANK-ACCOUNTS” baloney.

So there. You CAN relate identity to database security. Hell, I don't care if you relate Mongolian sheepdogs to database security, as long as you have it.

SQL injection? Really? It’s 2011, last time I looked.

It’s all the rage these days in some political circles to sign pledges. Special interest groups say to the candidates, sign our pledge and we’ll endorse you. Say that you pledge not to raise taxes, that you won’t support cap and trade, that you’ll wash your hands after using the bathroom, that you’ll brush after every meal. And woe be unto you if you refuse to sign my pledge.

I personally don’t like candidates who suck up and go along with this because, let’s say you sign one of these things and actually become president. You either:

1)      Have  turned over your presidential powers to some special interest because of a piece of paper

2)      Ignore the thing later and show you were only pandering in the first place.

Well, call me a hypocrite. Because here’s the one pledge I wish people WOULD take. And that is to not cop out when it comes to compliance. And here’s what I mean.

Modern regulatory compliance, the kind with actual teeth, was created as a response to some serious boo-boos. If people had been more vigilant to begin with, or in fact had simply done their jobs right, some compliance laws might never have been enacted. So sure, maybe it’s a good thing that we got the wake-up call, but it’s a shame that it was necessary.

The origins of Sarbanes-Oxley? Ugly story. HIPAA? Good story, just (IMHO) slowly and weakly implemented. We’re too nice in the USA. Here’s a new law, we’ll give you until the cows come home to comply. In India, in Germany, get with the program, or really bad stuff happens. THAT Is how it should work.

But plenty of organizations will say, we don’t have to be compliant. We’re not public. We don’t report anything. Our parent company doesn’t demand audits. None of our subsidiaries amounts to more than 1 percent of our total revenue. We all wear tinfoil hats here. Whatever. In other words, we don’t need to pass audits or be compliant.

This is where your partners, customers, suppliers, vendors, etc. need to kick in. You’re not compliant? Well, if you want to do business with ME, you’d better be.

My opinion is, why wait? A large food company, a customer of mine years ago, didn’t wait to be told they needed to get those processes in place. They didn’t wait for various provisions of a particular law to kick in over years’ time. They took some people off line, spent some budget, and built the processes and reporting and put some individuals in positions to drive compliance and audit support. No mad scramble later. It was all forethought, it was economical, and I’m sure somebody got a bonus for it.

Fine, don’t call it compliance. Call it security. Secure your database. Encryption.

You’re privately held? Yeah, well, at some point you’re going to be on the hook. Hook yourself, at least a little, right now, before somebody hooks you later.

I don’t know when it happened precisely, but at some point my phone bill turned into a Frankenstein monster. I thought I’d picked a simple package, but after some back and forth with the phone company, managing options on a main (home) line and an additional home office line, I could no longer tell which options on my bill applied to which line. Expensing the office line has become a science project, and I found I’ve been paying way more than when I started, despite multiple negotiations to lower my monthly.

The last customer service guy I spoke to agreed that it’s nearly impossible to decipher the mess. And no, you CANNOT cherry pick your options. You have to pick a plan. You might three options from one plan and two from another, but it doesn’t work that way. The customer is not right.

I started feeling this way a while back about Oracle and SSO. The E Business Suite came bundled with OSSO for a long time. You can also use OAM 10g. A lot of EBS customers are on EBS r11, although there’s lots of encouragement to migrate to r12. Well, OSSO goes away, so you need OAM 11g. But r11 doesn’t like 11g, so you need 10g as a common denominator if you have both versions running in your enterprise, which a lot of people do while they’re migrating.

It sounds confusing, but at least you know that it WILL simplify as customers upgrade.

By the way, there is an EBS AccessGate. Now, the term AccessGate is an OAM thingy, but this isn’t exactly an OAM AccessGate. Even more confusing. The config for it can get pretty hairy too, so having a professional put that in place for you isn’t a bad idea.

And don’t forget that if you’ve been running OIM 9i with a third party (i.e. non-Oracle) SSO plug-in, and you upgrade to OIM 11g, you might be out of luck, since the standard for OIM SSO going forward is OAM.

This whole story will sort itself out, for sure, while I’[m positive that my phone bill will still suck ten years from now.

I was scanning CNN.COM this morning, and came across an amusing headline: BEST BOX WINE FOR THE BUCK.

Yes, yes, wine in a box. Sort of like Coors Light, it's beer for people who don't really like beer. Wine in a box doesn't quite say, "I'm a sophisticate." It says, "At least I"m not drinking out of a paper bag."

I imagine if you go to the ballpark in California, you can see the boxed wine set drinking the stuff from headgear. Y'know, like a wine bong. Chug, chug, chug, but with your pinkie extended.

Okay, so these same kinds of people are asking me in to discuss enterprise SSO, provisioning, compliance. And they stack up the major vendors against ... boxed wine solutions. Little point products that "provision" to AD. They do password reset, but only to AD. They do little bits of compliance reporting, with none of that data actionable.

So you got an itty bitty toolset that lets you fill out AD attributes, or that futzes with your password? A reporting thingy that tells you what AD groups people are in? Oh gee.

It's your business, your livelihood, your credibility as an organization. I'm not saying you have to break the bank, but you have to take this seriously. "Oh, we're not publicly traded, we don't do much reporting, we don't have to sweat this much." So productivity and efficiency go out the window, and when that day inevitably comes that you DO have to provide reporting, or you DO get hacked, then you're scrambling.

Don't get an IAM solution that comes with a pop top or screwtop. Get one with a cork.

For a recent trip with the family to Washington DC, we ended up in the line at O'Hare with the full body scanner. EVERYBODY associated with this thing was an IDIOT. In theory it should make things quicker, but the TSA staff acted like children with the thing, and our line quickly got backed up in a big way.

Everyone in line was told, take EVERYTHING out of your pockets, metal or otherwise. Suffice it to say, hardly anybody understand the definition fo the word "everything." This further held things up.

Then literally everybody who went throught the line was asked on the other side, "Do you have anything in your pockets?" By that time, the answer for everybody was no. And then the TSA geniuses frisked everybody ANYWAY. I always say, do what you gotta do, and let me outta here. My wife, on the other hand, wasn't too pleased with being groped by strangers.

I had to ask them the rhetorical question, "If you're going to ask people about their pockets and then frisk everybody ANYWAY, what is the freaking point of the scanner?"

There's only one place where this idiotic, paranoid approach to security really counts: regulatory compliance. I always say four things about compliance:

1) reporting does not equal compliance

2) being secure doesn't mean you're automatically compliant

3) being compliant doesn't mean you're automatically secure

4) it's not enough to BE compliant; you have to PROVE you're compliant

Auditors don't care if you have all the policies in the owrld locking down your systems. They want to see the reports. Yo uhave be BE compliant, and you have to PROVE compliance. In fact, it may not be enough to generate the reports on successes and failures. They may very well want to see the proper time/date stamps on those reports, to indicate that you created them at the right points in time, and that presumably you looked at them. Remember, you create the policies to regulate behavior, report on that behavior, then refine those policies to deal with unexpected behavior. If you don't look at the reports when they're relevant, then you're not really doing the job.

I'll say this much for auditors: at least they usually keep their hands to themselves.