Identity and Access Management Framework Book

Just a couple of years ago, a whole bunch of U.S. homeowners in the Deep South began suffering from health issues, corroded wiring, malfunctioning heat and air conditioning, foul odors, and blackened fixtures. It turns out that while their houses were solidly designed and built, EXCEPT for the inclusion of toxic drywall originating in another country. Fixing these problems can cost a resident as much as it cost to build the house in the first place, because it involves removal AND replacement of the drywall and all the affected components, plus in many cases the residents have to live elsewhere during this process.

The ugliness has been further complicated by the fact that the manufacturers of this bad drywall were not subject to U.S. laws, although there have been many settlements. A few simple-minded xenophobes commented that this is what happens when people buy foreign goods. This ignores the fact that there are a lot of quality foreign goods available in and from just about every country, and there’s no guarantee that every product made in one’s own country is by default a quality product.

An awful lot of code powering an awful lot of business apps, just like these houses, are partially comprised of third party pieces, foreign or domestic. Ideally, you would test your software, including all those third party pieces, top to bottom. For example, you want to ensure that your software won’t be used against you to cough up proprietary data. And maybe the pieces of code you create are dandy, but you’re including third party libraries or custom code. And way too many third parties either don’t teach their people to code securely, or they give their junior programmers some desktop source code testing tools and think this is sufficient to guarantee safe code.

And that’s the kind of thing that software testing tools are built to deal with. But being that this is an identity blog, let’s concentrate on that aspect.

First off, by applying tight policies on provisioning and access, you (help) ensure that only the correct accounts can execute necessary functions within your critical business apps. It’s that first line of barbed wire, weeding out the bad guys from getting to the platform from which they might launch attacks. One of the places that’s most common for launching, for example, SQL injection attacks is login screens. Proper authentication validation can prevent such an attack at the outset. Take that logic away from the business apps, and put it where it belongs, in a security layer. If the bad guy doesn’t get in at that point, he loses a whole lot of other opportunities to launch other such attacks from within a session that looks to the system like a legit one.

Second, if the bad guy does manage to get inside the front door, that back end security is one of your safety nets. This means securing the data. This is why Oracle provides Database Vault and Audit Vault, to know who’s doing what, and even allowing or disallowing certain functions, based on realms, roles, and individual identities.

By applying these layers of security, we can mitigate some of the risk of faulty code, whether it’s third party or homegrown. Even if you build completely secure code to start with, you still need to secure it from misuse, and that’s a heck of a lot easier than swapping out half your house.

A couple of years back, for the sake of some books I had published, a colleague pressed me very hard to create a MySpace page. I really hated having to accommodate the latest web fad, but I did it, and there was some value in it, I’ll admit. But then along comes Facebook, just a couple of years later, and MySpace is considered an anachronism (unless you’re selling music).

It’s tough, being the Next Big Thing, because it automatically nominates you as Last Big Thing. What’s even worse is when you’re the heir apparent, and you never quite get there. For years, the Cubs (and it hurts to even type their name) had a shortstop that everybody kept saying had “so much potential.” He never quite sprouted, but man, he had potential, right up to the day they dumped him.

I have started to wonder if this isn’t what SPML is. For years we’ve heard that anything with “Markup Language” tacked to the end of it would run the world. SPML was going to make provisioning executable via a standard protocol. But it just ain’t happening.

In my book about designing an identity and access framework (shameless plug coming)

http://www.amazon.com/Designing-Framework-Identity-Management-Osborne/dp/0071741372

I even mention how, despite some corporate cheerleading, SPML isn’t gathering the following it was expected to. A lot of vendors still don’t support it. No business support means weakening intellectual support. And by intellectual support, I mean the many do-gooders out there, like those found at universities, who develop standards with fancy acronyms all the time, trying to save the world from its own boobydom, only to see their babies coddled only at seminars and focus groups, while never seeing commercial adoption.

Some people complain that SPML is too complicated, and point out correctly that there’s no agreed-upon user schema. I’ve often thought that a souped-up SAML was a better candidate for this work anyway, since it HAS been adopted.

Oracle supports it, although it’s interesting that THE big name in database hasn’t allowed for provisioning of DB accounts via SPML. One of the role mining vendors (with whom I’ve competed), trying to dive into provisioning, was pushing it, but perhaps only until they got their connector story together. “You don’t need that connector stuff, we can do SPML for you. Oh wait, things have changed.”

If anybody can get the thing moving, it would be Oracle. Unlike Sun, Oracle has always liked to make money off their software, which means driving demand, which in turns means commercial adoption. SPML is so very close, but it could end up being the Almost Next Big Thing.

In my family, we’re huge fans of the Discovery Channel, the History Channel, TLC (can’t wait for that new show where Sarah Palin shoots more stuff from a helicopter), and National Geographic (on which they specifically BAN people from shooting stuff from a helicopter). Between shows on the American Revolution, the Black Plague, the Crusades, the Ice Age, and guys blowing stuff up, they seem to run a lot of spots these days on the year 2012, which is when the Mayan calendar or the Druids or somebody else is predicting the world will end.

I find these shows fascinating, but perplexing. Does this mean I should stop paying my mortgage? And does it also mean that I should be in a hurry to return my library books, or just not bother at all?

We must remember that the End of the World is relative. For some, it’s already come. For example, if you’re in the role mining business, the deal sizes are small, and there’s nobody left to buy you out. Ouch. If you’re like me, then every time you see your wife’s relatives coming up the driveway, you’re pretty much PRAYING for Armageddeon, or maybe you just fake a seizure, which has worked for me on occasion.

But if you’re a CFO or CSO, the End of the World could be simply the End of the Quarter, if you’re not prepared for your next security audit. A bad audit can do damage to both your company and your personal well-being. If it’s a Sarbanes-Oxley audit, well, you have your lawyer talk to the auditors and you kinda get away with it. If it’s HIPAA violations, you write a letter, promise not to do it again, and you kinda get away with it. If it’s NERC, they come to your house and hit you in the knee with a big stick.

Depending on your industry, the fines can be icky. Usually the bad press is reserved for people whose shortcomings have actually resulted in exploits or leakage. But failure to remediate following that audit may result in that leakage.

Audits may not kill you. But I’ve seen some customers get really raked over the coals after one, and I’ve seen customer contacts get bad reviews because of them. Specifically, a customer told me after they got dinked, “You’d think, from listening to management, that it was the end of the world.” And there’s the worst case scenario. You may not think it’s that bad, but if your BOSS thinks it is, then it might as well be.

Pass that security audit. Secure the infrastructure, make it tell you what is going on, how many users you have, what access they have, and enforce your policies. You do have policies, don’t you?

I grew up on the South Side of Chicago, not too terribly far from Comiskey Park, meaning I was raised a White Sox fan. My brother and his kid even got their picture on the front of the Sun-Times, taken at the park in 1977, on a day the Sox won and inched into first place. Wrigley Field, on the other hand, might as well have been on Mars, way up there on the North Side.

But something went terribly wrong in our family. Maybe we grew up too close to power lines; maybe it was fluoridated water, I just don’t know. But some members of the family ended up becoming – gasp – Cubs fans.

Well, pinch my can and call me Slappy, that is just so wrong. How did this happen? I mean, I always liked Jack Brickhouse (even saw him open a run of Damn Yankees), but that’s where it ended. How did my blood relatives end up rooting for a team that plays in a crumbling tomb with awful bathroom facilities, a place that’s regularly inhabited by yuppies who don’t even pay attention to the games, preferring to talk on their cell phones and talk about that day about a hundred and fifty years from now when the Flubs finally make it to the Series?

The faithfully flimsy-brained also have their fond memories of Harry Caray mangling Cubs players' names, forgetting that he had previously mangled names for the Sox, and for the Cardinals before that. Of course, I love his restaurants, but I often turned down the sound on the TV and caught the audio off the radio, like I often do with Bears games, rather than listen to him.

One does not follow the Cubs for the sake of watching a winning team. You watch them because it’s become an in thing. These same yuppie boneheads talk about Wrigley like it’s some kind of cathedral. Forget it. While the shirtless drunks are roasting in the bleachers, swilling their Coors Light, the fans in the shade behind first base might be freezing their cans off. Good luck trying to use the johns. And watch out for all that falling concrete. Meanwhile, the uninformed still blame a guy named Steve Bartman, instead of their own lousy fielding, for blowing their last decent chance of getting to the big game.

The Sox, in the meantime, have been to a couple of Series, and have even won one in recent history. They, um, what’s that word … oh yeah, they CONTEND. The Cubs merely exist. You want to blow off an afternoon? Watch the Cubs. Are you serious about baseball? Watch the Sox.

So what’s this got to do with IAM? Plenty.

While I have to stare blankly at people when they tell me they’re Cubs fans, I maintain that same gaping, slack-jawed look for security guys who tell me they don’t have any provisioning or access management at all. You’d think that by now EVERYBODY has something in place. But no. It’s not often, but it still happens that I speak to companies where provisioning is all still manual. This also means, by the way, that their DE-provisioning is all manual as well. Takes them hours or days to suck a terminated user’s rights out of all target systems.

Their access is governed completely by Active Directory groups. Oh yeah, and they have no idea how MANY of those groups they have, nor where they’re used. These places are auditing nightmares. They can’t push a button and instantly figure out all the resources a user has access to, or has EVER had access to. Neither can they look at a resource and figure out which users have access to it. Just like Cubs fans can’t figure out the last time their team went to the Series, because their grandfathers weren’t alive then.

Rooting for the Cubs and/or not having IAM in place represents a fundamental problem, a tear in the time/space continuum, a metaphorical asking for misery. It's 2010, for cyin' out loud.

So hey, are you a Cubs fan? You’re a complete dodo. And are you lacking an IAM platform? You’re a complete … potential customer. See ya soon!



When we built our new house, we picked an oversized lot, and we inherited a ton of huge trees. Along with this came the wildlife. Our dog got skunked our first summer. Rabbits eat my wife’s sunflowers. Coyotes keep leaving rabbit bits all over. Raccoons dig up our compost and vegetable garden. And then there’s the squirrels.

I put up a couple of bird feeders to hang on some low-lying branches, one for big birds, and the other for finches, tiny colorful little things that look very tasty to me. Anyway, the squirrels just loved the big bird feeder. They would climb on that thing, shake it like hell, dump all the bird seed on the ground, then eat it all up. They could empty that big feeder in half an hour. So I bundled some chicken wire around where the feeder attached to the branch. That intimidated the squirrels for about a week, then they learned that chicken wire is terribly easy to climb on. I put an aluminum dish around the top of the feeder, and this puzzled them for a few days, until they found a way around it.

I took a plastic yard sign and draped that over it. When they tried to climb on it, they would slide off. But then they figured out how to kind of hang from the branch a couple of feet away, and leap on to the feeder. At one point, I had the chicken wire, dish, and sign on there all at the same time. But with each piece of defense, the little rodents took less and less time to reason their way past it.

It got to the point where it looked like I’d built some huge contraption to protect what started to look like a little bitty bird feeder. It got downright stupid. I talked about electrifying it from the top. My kid said it wouldn’t matter, one day we’d wake up and find them standing on each other’s shoulders to reach it from the ground.

Finally I bought one of those shepherd’s poles, a curved rod you stick in the ground that squirrels can’t climb.

My point is, this is how hackers do it. No matter what you put up, they will eventually figure out a way around it. So there’s two ways to examine the issue. First, defense in depth. Figure out what’s a proper identity for getting into a system. Provision your identities securely and logically. Then associate a proper authentication and authorization model, for access control. Don’t forget the fine-grained application security. Audit everything that’s going on. Make it as difficult as possible.

But remember the TJ Maxx saga? That wasn’t a single hack. It was a whole series of them. The bad guys made Swiss cheese of that system.

So one more thing to consider: database security. Don’t allow unencrypted data to ever leave the nest. There are solutions you can install on top of your data, but if your database secures its stuff at the kernel, that’s even better. No matter what client the hackers might employ, the data is secured at the source.

Remember Occam’s Razor: all things being equal, the simplest explanation is the most likely. And the simplest solution might be the most efficient. Besides the chicken wire and minefields and predator drones, protect your assets at their source. Make it as hard as possible for the bad guys to reach the door, and then secure what’s behind the door.