Identity and Access Management Framework Book

Certainly you need to do everything you can to secure your systems. Goes without saying (yeah, I know, I just said it, so sue me). But the fact is, you also need to lock down your people.

Bill Clinton, years back, issued an exec order authorizing only twenty individuals to classify information. But these  twenty also got the authority to delegate that same authority to many others. In the end, literally millions of government employees and contractors gained the right to classify material.

In early 2009, Obama issued an order mandating that those who classify information put their names on the material they classify. What a great freaking idea! Non-repudiation, right? If you’re going to make a mess, take responsibility for it.

Let’s recall the prime directive of NERC compliance: identify your critical cyber assets, then establish a perimeter around them. Well, by classifying millions of documents, the government made its job that much harder.

Wikileaks didn’t steal the material. They published what they were given by an idiot Army private by the name of Manning. He was able to download a metric ton of documents, and the only reason they caught him was that a hacker friend of his turned him in. This was an IT security failure of massive proportions.

PEOPLE are the weakest link, many times. Just a couple of years ago, the Pentagon granted clearances of various levels to over 600,000 people. If everybody in the neighborhood is in the play, who is your audience?

Recently, on a plane from Chicago to Boston, the moron next to me had a loud phone cel phone conversation in which I learned the details of not only the inefficient inner workings of his company, but the dishonest sales reps in his org, and another guy they were planning to fire for fraud (and he took particular satisfaction in the idea of denying the guy unemployment benefits). In my book, I detail a couple of other stories about the horrors of mouthy guys on planes giving away otherwise secret info.

All the policies in the world won’t keep you perfectly safe if you’ve got loudmouths, idiots, or crooks in your chain of command. However, they CAN limit the damage (check out my blog entry of 12/10 to discuss this). And there’s one more item to consider. Regardless of how things happen, a decent identity and access framework will provide you an audit trail to tell you EXACTLY how, so that you know who to beat with sticks once you’ve discovered a breach. It’s good to be able to point fingers. Of course, it’s better to not have a REASON to point fingers in the first place.



About three years ago, I did a pitch to a potential partner in Cleveland. Identity management, access management, single sign-on, the usual. The head guy there, Ken, liked the overall value proposition, except for SSO. He said that while plenty of their customers liked it, naturally, he himself was not a big fan. Internally, he told me, they didn’t believe in SSO at all. He said it made them less secure. Break one password, you’ve broken them all. And he was right. SSO is not a security value, it is user experience. It’s convenience. Customer service. Employee productivity. It can make various disconnected links look like they’re part of one big portal.

Fewer passwords mean less time getting locked out, I suppose. But it’s true: if you hack my SSO password, you’re into all my other accounts.

Increasingly I hear about RSO, or Reduced Sign On. Instead of remembering one password to sub for twenty, you remember, let’s say, three or four.

These days you can log into various websites, like HuffingtonPost or a number of political and news sites using your AOL or AIM creds, or even Faceboook or Twitter. Log into youtube, and it wants to link you up to their sister company. You can link all these accounts. I still haven’t taken up Yahoo on the offer to be my password valet, despite the less-hassle factor. I don’t live on any of these sites enough to care (although I see a handful of so-called adult professionals posting every damn sneeze and butt scratch on FB – grow up!).

And it’s not just somebody hacking a site. It’s your vault, the place where you stash your multiple id’s, your gateway info to the multiple apps and domains you hit. ESSO, OAM, and now Passlogix are how Oracle handles these various keys. They’re kept safe and secure. The scary part is, the bad guys know where they’re at. The less scary part is, that doesn’t mean they can get at them.

One of the cool things about federation is providing just enough info to a site that it lets me in, without having to let it look down my throat. It takes site to site trust, but if Site B trusts the Site A I just came from, I’m in good shape. That’s what I do NOT like about how it’s being handled out there on the web. I recently wanted to comment on a site where idiots insisted Barack Obama was born in Kenya. I could authenticate with my Facebook creds, but the site wanted me to allow them to grab all my FB profile info. I declined, and therefore left them to wallow in their redneck ignorance.

There’s a little white lie in my IAM book. I tell of a story in which a guy used as his password the vulgar nickname he had for his dog. In fact, it was the vulgar nickname he had for his wife. He was, indeed, a scumbag. But McGraw-Hill asked that I change the story to be a little friendlier Regardless, it was something he could remember.

I keep in my head not one, but a half-dozen strong passwords, combos of upper/lower, numeric and special character strings of a reasonable size. When one expires, I move to the next. These serve me well, and if I forget which one I used at a particular site, I cough up one of the others, and I’m in. Takes a wee bit longer, but RSO is definitely a safer way to go. Especially since my wife only goes by one name, and she likes it like that.



In February 2010, I was on a 6 am flight back home from St. Louis to Chicago. It was completely overcast and, as expected, the ride was bumpy. As unexpected, the ride became HOLY CRAP bumpy. I have no idea why the flight attendant was serving drinks, because we were all over the place. By the time she got to me, I literally had to reach out and grab her before she fell over. I helped her into the seat across the aisle from me, and together we hung onto her cart. It was another twenty minutes before she got up again.

So here’s my bad segue. When things suck, that’s when you get together and figure out how to fix them. You have to recognize the problem, you have to agree on a solution, and then you have to work together. Sounds easy, right? Nah. Democrats and Republicans look at the same issue and see two different solutions.

Sometimes my family wonders why I laugh so hard at Dilbert in the comics each morning. I tell them, before I began  traveling for a living 17 years ago, I lived in a cube and in meeting rooms. I know what it’s like to be stuck in endless design meetings. But the fact is, you need those groupthink exercises. It’s how you get consensus, input, feedback, and ass-covering. “Don’t tell me I made a mistake, because in last week’s meeting, you signed off on it.”

Let me rip a story out of my book. At one particular Midwest university, the IT staff, despite supporting several different directories, have come to agreement on a very small number of directories on which to run the larger enterprise. They made their lives easier down the road based on what they did now. SSO, federation, RBAC, everything would be easier when the time came, because they had simplified.

On a broader scale, the IT community has generated standards that serve everybody equally well. Maybe we’re not all speaking the exact same language, but if we have some common options, we can exchange data, interoperate, integrate, and build bridges a lot faster. XML and SAML have been astounding inventions, especially in the identity management realm. For app security, we have OWASP, CVE, and CWE.

There’s still some churning going on. When it comes to single sign on, there are still competing “solutions” from Sun, Microsoft, and others. Of course, much of that has been due to the profit motive. If my solution looks best, I make more money. This is an example of the demotivational poster that says, “None of us is as dumb as all of us.”

But in general, when thinking people come together, they can usually hash out, if nothing else, a reasonable compromise. Can’t we all just get along?



Not too long ago, I was driving two salesguys to a meeting. Because one of them had flown in late, I was hauling (in my Dodge Caravan). The guy who’d come in late asked me if I could participate in a call he was getting on, as he needed a technical resource. I said, sure. He said, “I just sent you the dial-in info.” I pointed out to him that I was doing a bit over the speed limit and, most important, was frigging DRIVING. I handed the other guy the phone and asked him to dial me in. Bluetooth in place for hands-free conversation, I was now partially listening, since I tend to pay more attention to the road than anything else when I’m DRIVING. We began discussing some contract language. The guy leaned forward and whispered, “I just sent you the docs the lawyer is talking about, in case you have any opinions.”

Temporarily stunned, I put myself on mute and said, “In case you haven’t noticed, I’m still freaking DRIVING.” Only a salesguy would expect you to read word docs on your Blackberry WHILE you’re doing better than 70 on the tollway.

My mistake was in not setting expectations. I guess, at the outset of our journey, I should have made it clear: “Your life, and mine, are in my hands. To this end, I will focus on staying between the lines and avoiding contact with other speeding metal crates on the road, so that we may reach our destination and then return safely home.”

This is the diplomatic version of, “Hey dumbass, I’m DRIVING.”

Expectations should be set at the beginning of any transaction, and occasionally restated.

Years ago, I started a cycle with a large beverage company. We put together a plan for basic auth and SSO for a single division. But then all the subsidiaries started trying to jump on board. All these companies, with all their own portals and directories, and they wanted a giant umbrella to put them all under. I told him until I was blue in the face, stop trying to do it all in one big shot, because he would never succeed. Stick to the original plan, I reminded him.

And more recently, I dealt with a large agri-science company that kept changing the plan; swapping authentication schemes, swapping authentication directory, changing their SSO strategy, widening, then narrowing, then again widening the scope of which groups of users would be included in the first pass; adding, then deleting, federation as part of the scope; changing the repository for security questions; and so on

When in doubt, pick something small. Get basic auth and password management (meaning policies and reset) up and running. SSO, or at least reduced sign-on. A common user directory, at least for the users in the first scope. Show that you can do that much. Then build from there. Make sure you’re not building something in the first phase that can’t be reused. If something crops up, tell the cropper-upper they have to wait for Phase 2, unless they’re the guys with the doughnuts. Don’t boil the ocean, just a single cup of coffee.



It doesn't take much to ruin a country's entire diplomatic posture, its sense of security, its standing in the world, its dignity. All it takes is two guys: one self-righteous guy to publish a bunch of secret documents, and another guy to steal them.

And this is Wikileaks. Mr. Assange feels that he's somehow making the world a better place by spilling a whole lot of secrets to which he wasn't entitled. While some of this stuff actually bears being submitted to the light of day, it turns out a whole lot of it is stuff that could set back efforts to fight piracy, fight corruption, push the North Koreans and the Burmese to the table, and so on.

Regardless of his motives, it took a willing accomplice, in this case a young simpleton in the military, with WAY too much access and not nearly enough supervision. He downloaded untold thousands of documents, then transmitted them to Assange. HOW did this moron get his hands on all this intelligence? How was he able to download so MANY docs and move them into the wrong hands?

Sure there are plenty of people who need access for one reason or another (although I kinda wonder why this 23-year-old dweeb was one of them). But it's not always just WHO you are or WHAT you are. It's also WHAT YOU'RE DOING. Think back to basic access management, like an OIM or a Siteminder. Policies match up id, origin, and request. Okay, so you could say that an access policy gives this goober access to these docs. But let's add that other dimension, HOW you're doing WHAT you're doing.

Is he allowed to download this stuff? Looks like it. Should he be allowed to download ALL of it? Holy crap, Batman!

At some point, you need to examine BEHAVIOR. Why do you care? How often does classified stuff fly off the shelves? No idea. But in the business world? All the time. Here's the business case:
Poindexter downloads five or six docs a week. Today, he's downloading dozens. Oh, and after hours. There's TWO red flags, in fact. Does he ever do stuff after hours? No. Does he normally download this kind of volume? No. Zzzzzzt. Something's wrong. Shut down his session and send out an alert.

Maybe he's got a perfectly legit reason for doing so. So you're interrupting him. He'll be back online soon enough, IF it's legit. But maybe he's leaving, and wants to take a bunch of IP with him to the competitor. Maybe he's being paid by industrial spies. Maybe he wants to start his OWN competitive business (I know a guy who did this very thing, and kind of got away with it). An old customer of mine monitoring for anomalies caught an employee downloading THOUSANDS of design docs (telecomm hardware), and discovered that he had less than good intentions.

There are various products out there that handle this kind of behavioral monitoring, in conjunction with the usual id-origin-time of day - request policy matchup. The one I've got the most experience with is the horrendously named Oracle Adaptive Access Manager, or OAAM. Pronounce the acronym phonetically, and it sounds like you've got gas pains. Anyway, you can put users into behavioral buckets, based on title, location, whatever, and when a member of the bucket acts in a way that doesn't fit the usual pattern, OAAM automatically shuts them down. If it's found to be chronic yet anomalous behavior, that user might get moved into another bucket.

Another cool thing is to just turn on OAAM and let it build those buckets. You don't know what you don't know, right? So let it monitor for a few weeks and  tell you what those patterns are, and then start applying those policies.

In the wake of Wikileaks, the US military is also banning flash drives and other removable media. There's a solution for that as well, but maybe we'll cover that next time. In the meantime, it's WHO, WHAT, from WHERE, and HOW. Sure, now we know that the president of Afghanistan tends to go off his meds, but did we really need to?