We have met the enemy, and he is ...
In the last few months, Oracle’s been doing some joint presentations with a counter-terrorism guy. Everybody raves about his stories and background in figuring out who the bad guys are and where they’ll strike next. The idea is to anticipate their actions and nip them in the bud. He and I had a great chat about it. You can’t decide how to fix something until you figure out the exact problem, and he does it on a large scale. We discussed how it’s very similar to what we’re trying to do in IAM.
In the utilities arena, the big compliance beast is NERC, which mandates the protection and continuity of the electric grid. Identify your most important assets, then determine the type and scope of perimeter you will erect around those assets. Now, you might say that this is walling yourself up, and not proactively going after the bad guys who might assail that wall. But here’s where you do just that.
The Oracle Adaptive Access Manager (OAAM), a great product with a pain in the ass name, is access management on steroids. It’s not just policies; it can actually learn from user activity and help you build those policies. So in a standard AM environment, you set policies that say “people in this LDAP group can access pages in this directory.” You might look at time of day, and even origin IP address. This is what Oracle Access Manager does, and similar products like SiteMinder.
But what OAAM does beyond that is look for types of behavior. Volume. Transaction type. Movement. It will look at your IP now, and which IP you’re using ten minutes from now. Did you move? How far did you move? Did you start in New York, and end up in San Fran? Nobody moves that fast. You’re an impostor.
Are you the CEO? C’mon in. Are you the CEO but you’re logging in from home, and on a Sunday night? Hmm, you never do that. Give me a token first. I’ll even send one to your cel phone. Wait, you’re not using your normal device to log in. It’s a different laptop or smart phone. Here’s some security questions for you.
Wait, I don’t care WHO your credentials say you are, nobody has a legit reason to examine salary data on a mobile device. Denied.
Historically, do you download five files at a time? What about the other users at your location, or in your work group? If you’re suddenly doing something out of character for you or your group, such as downloading a thousand engineering specs at once, is it really you? Or maybe it IS you, but you’re quitting, and taking as much stuff as you can on the way out the door. So this activity needs to be shut down, and alerts generated.
These types of behavior can be put into buckets or patterns, which OAAM can examine when deciding if you’re good to go in a given session. In a lot of cases, OAAM customers don’t even set allow/deny policies. They’ll just turn the thing on for a couple of weeks to monitor behavior, and figure out what the policies should be. Maybe their users don’t access the system the way they anticipated.
OAAM can also learn changes in behavior. Maybe your workforce becomes more mobile. Maybe you’ve moved people around to different offices. They do more from home. It might automatically move somebody to a different bucket. And so on.
There’s so much to OAAM, it’s hard to cover it all here (there's lots more detail in MY BOOK). You might say, wow, what’s the downside to this wonderful piece of software? And here it is. It does so much, you may not want to do all of it. I don’t use 90 percent of the options on my phone. Novell used to beat Sun in a lot of LDAP deals way, way back when, with an inferior product, because most people didn’t use all the options in the more expensive Sun directory.
But OAAM is fairly unique in all the things it can do. It doesn’t just keep out the bad guys, it points them out to you. You want to fine-tune those policies, so that while you’re keeping the bad guys out, you’re not also punishing the good guys who have every legit reason to come in.