Identity and Access Management Framework Book

Several years ago I flew to Lexington, Kentucky to visit a large printer manufacturer. Very nice people, and they had this amazingly long hallway in their factory that was almost a mile long. But one of the things I remember most about that trip occurred at the airport.

I traveled there with two other guys, and we ended up walking behind two ladies and three kids. As we walked toward baggage claim, the women walked faster and faster, and the kids, the oldest of which was no more than ten, fell behind. The women were oblivious. Eventually we lost sight of them altogether. At one point, the kids stopped to look out the window, and WE, complete strangers, were the ones who told them to keep up. The two women were long gone. We actually walked a little slower so WE wouldn’t lose the kids.

Once in baggage, we had to scan for the women, who were at the far end. We then had to point them out to the kids, who would have otherwise have been lost. As a parent, I was fairly horrified at the stupidity of these women, who, once the kids ran up to them, said, “Well, THERE you are.”

I wanted to say, “Yeah, there they are, after we escorted them, AFTER you practically abandoned them.” Dumb dumb dumb. Apparently they assumed that total strangers were going to make sure their kids found them.

You should NEVER assume that other people will be doing the job. ANY job. Or that things will magically happen. My kids will leave dirty dishes next to the sink, and assume that magically they will end up in the dishwasher.

Somebody has to OWN every job, every process. Validation, verification, candle on the cake, must be the responsibility of a real person. In the last year, I visited a client where terminations triggered various notifications to a variety of departments, so they could each handle their piece of it, but no one party OWNED terminations. So if at any point, one or more target systems were not corrected (i.e. the terminated user was not removed), it might never be caught. Nobody was going over the checklist. Everybody just assumed that everybody else would do their duty.

At another client, terminations were SUPPOSED to trigger notifications to everybody, but sometimes these “fall through the cracks.” The backstop was a monthly HR report. More recently I spoke with a place where that backstop window was ANNUAL.

For critical processes, somebody has to be in charge. They must be accountable. Nothing magical happens. Don’t let important tasks “fall through the cracks.” And don’t lose your kids in the airport.

I have always thought that I’d want to be cremated when I die. Certainly I don’t want to do it ahead of time. But the idea of being six feet under doesn’t really appeal to me. I’d rather get burned and urned, then, most definitely, put in a glass case or a wall, at a proper mausoleum.

What I would NOT want is for my kids to take possession of my ashes. What would they do with them? At my writing group at the library, one lady wrote a true story about renting a house and finding somebody’s Grandma’s urn high up in a closet. When the previous tenants had scrammed, they had left it behind. Ouch.

And by the way, there is a cottage industry for more creative ways to memorialize dead relatives. They can shoot those ashes into space (too expensive), or turn those ashes into a diamond and set it into a ring (“Hey, it’s my turn to wear Uncle Ernie!”).

Of course, the kids could just scatter me near my favorite bar. They’d actually have to split me up, because I have five favorite bars. But I digress.

Once you’ve got that urn, you need to figure out how to deal with it. Sure, give it to the kids, but by the time THEY’RE gone, now THEIR kids have that urn. What if everybody in the family wants to be cremated? Now the great-great-grandkids have a collection. They can line them all up and make a bowling alley out of the back hallway. Or, more likely, they’ll dump the contents so they can have a container for flour, another for powdered sugar, another for teabags, and you see where this is going.

I am regularly amazed at the clients who have no documented procedure for the disposition of artifacts after a termination (or even a transfer). If you leave on a good note, you will likely be turning your stuff over to somebody else to carry on. And by the way, if nobody is taking over your stuff when you leave, it’s a good indication that you weren’t terribly necessary, so it’s a good idea to be moving on.

But if a user is terminated for cause, you need to grab their stuff. Not only for business continuity, but also for auditing. I fired you for fraud or whatever, so I need to examine your files, your emails, your messages. If nothing else, that stuff should be reassigned to somebody else, perhaps the manager, until it all gets a proper home, or is archived. In the book, I describe how, when our mortgage agent was fired for gross incompetence and in general being a complete idiot and who is probably working at the circus right now, his files were completely locked up. Our mortgage company had no way to recover the mails, files, or messages or a deprovisioned user. Unbelievable. We had to send all our documentation to the mortgage company again, including the stuff THEY had sent to US. This is known in the industry as a really crappy procedure.

Reassign, archive, zip up, audit. You have to deal with the detritus. In those many, many CSI shows, the good guy has to collect and examine the evidence when the bad guy shoots somebody. But in our instance, you are both the shooter and collector.

Dixon, Illinois is a pretty neat little town. Half dying because it used to depend on a fading farm community, but it’s got an iconic arch for a gateway, it’s the birthplace of Ronald Reagan, and it’s home to an excellent state park. My wife and I have had a couple of getaways there over the years, a ways west of Chicago.

In October 2011, Rita Crundwell, the comptroller and treasurer of Dixon, went on her own getaway, and while she was gone, the city clerk found some boo-boos in the books. Turns out Rita had been looting the town, and had stolen around $30 million over six years. The town’s annual budget never exceed $9 million.

Rita had been supporting a lavish lifestyle, including a couple of horse farms, on a salary of $80K. Nobody seemed to catch that.

Everybody had trusted Rita. She would even perform some of the duties of the city commissioners while they were unavailable. Real or digital, that’s excess entitlements.

But here’s the kicker. Kelly Pope, a forensic accountant as well as a professor of accountancy at DePaul, said that auditors should have caught Dixon’s weak internal controls. “That’s Accountancy 101, SEGREGATION OF DUTIES … the person that writes the checks isn’t the person who deposits the checks.”

My first introduction to the consequences of SoD was during a visit to a mortgage company in Pennsylvania, during the height of the real estate boom. Anybody who could make an X in purple crayon on the back of an Eskimo Pie wrapper could get a mortgage. But the client at hand had been written up when one of their officers had submitted and approved his own $2M mortgage. Hey, you gotta draw the line somewhere.

I have spent a lot of time cataloging the various tricks and traps of auditors, the ways in which they show they’re worth their money, by tripping people up on the dumbest of things. Remember, auditors are not your pals. They are there to screw with you. If an audit goes squeaky clean, it’s assumed the auditors haven’t done their job. So they will always find something. It’s like the old story in Chicago, if the health inspectors need a Christmas bonus, and your restaurant doesn’t have any rat droppings, they will bring their own.

Segregation of Duties is an easy one. People who have conflicting entitlements. A lot of organizations KNOW they have this problem, but can’t fix it simply because they don’t have enough bodies. That’s when you come up with toxic combos. “You can’t have A and B if you already have C.” In any event, there must be a set of policies, they must be regularly reviewed and enforced, and any exceptions must be documented.

And there’s your partial out. Document all exceptions. This provides you at least a temporary reprieve. The only thing worse than a violation is one you were grossly ignorant of. Take responsibility for it, document it, and mitigate as best you can. In other words, it’s okay to get caught, just not with your drawers completely down.

There’s only one place on Earth where violations are not enforced. My house. I am not allowed to pick dinner, handle the check book, choose my own clothes, determine the time to leave for church, or comment on the kids’ hairstyles.  And it all started years ago with the exclamation from the household SoD violator: “Please tell me you’re not wearing THAT to the funeral.”



I’ve been spoiled lately. Almost all my flights have been smooth since last fall. I even visited Europe for a customer this past month, and had clear sailing over the Atlantic and back. Other than one brutal trip home from Detroit in January, it’s all been good.

                But in almost fifty years of flying, I’ve never gotten used to turbulence. I absolutely hate it. My wife, who barely flies, deals with it better than I do. So I have been very lucky in recent months, and haven’t been sweating getting off the ground. And that’s how it goes. We get cocky when we go long periods without a bump.

                 I see the same thing with clients. Hacking? We’ve never been hacked. That stuff happens to other people.

                There have been some pretty high profile breaches in the last couple of months. After one of these hit the headlines, their biggest competitor called me in to discuss what I knew of the case. I had read between the lines in the newspaper coverage, and provided some analysis. But it was clear in the first ten minutes, they weren’t worried so much about securing their assets as they were about passing their next audit. Their auditors, they said, would be tougher after the recent news.

                When customers say they’ve never had anybody try to hack them, it means they haven’t been looking hard enough. “We make porcelain doorknobs, who would want to hack us?”

                It doesn’t matter who you are. If you’ve got sensitive data, somebody somewhere will know it, and they will go after it.

                It CAN happen to you. Unless you don’t let it.



Recently I took the family to the local high school to see their spring musical, “How to Succeed in Business Without Really Trying.” The guys in charge of staging these things are geniuses. The band was phenomenal. And the kids, especially the lead, were amazing. I really expect him to go places.

It’s a very old Broadway show that was turned into an excellent movie decades ago. The gist of the story is that a guy named Finch worms his way to the top by being clever, sneaky, sometimes deceitful. But he doesn’t really have to work at the process, but rather creep around it.

I more than occasionally run into organizations who try to do the same thing while aiming at security, compliance, or converting from one security platform to another, or multiple others. Part of the problem is the bottom-feeding portion of the vendor community that tries to sell its wares by telling potential clients that the answer to compliance, for example, or role management, or Segregation of Duties (SoD) is to install their crap and BOOM – they’re done. Well, obviously it’s a lie.

For example … there is NO magic bullet product that can create SoD policies on your applications for you. There are libraries out there, built on best practices, for the most common business apps, such as Siebel, Peoplesoft, SAP, etc. These templates can be digested by various enforcement tools, but YOU still have to put them in their proper place.

There is NO magic roles product. There are solutions out there that will help you discover and refine inherent roles, but certainly not create them from scratch in perfect condition. Oracle Identity Analytics, for example, can help not only with roles, but also with the anti-roles, namely SoD.

There is NO magic compliance tool. Compliance with just about any regulatory set of requirements means having to improve your processes as well as your IT solutions. It’s not just installing a piece of software. PCI compliance means putting in place policies and solutions across database, infrastructure, identity, and other aspects of your systems.

It ALL takes work. You need to prioritize, then create a plan, acquire the human and digital assets, then build, test, and execute. You might get outside help, but the liability is still YOURS. So no matter what, it’s WORK. Sound hard? Well, you balance that work against lower productivity, lower user satisfaction, higher help desk costs, higher audit support costs, and the really big one, RISK.