There was an excellent article at Dark Reading the other day about data leaks focusing on insider threats. It did all the right things by pointing out “insiders have access to critical company information, and there are dozens of ways for them to steal it” and “these attacks can have significant impact” even though “insider threats represent only a fraction of all attacks–just 4%, according to Verizon’s 2012 Data Breach Investigations Report.” The article goes on to discuss how you can use gateways, DLP for at rest and in flight data, behavioral anomaly detection, and a few other technologies in a “layered approach using security controls at the network, host, and human levels.” I agree with every word.
Yet, there is one aspect of the controls that somehow escapes mention – letting a potentially powerful ally in this fight off the hook from any action. There is not one mention of proactive controls inside the applications and platforms that can be placed there by IAM. A great deal of insider access is inappropriate. Either it’s been accrued over time or granted as part of a lazy “make them look like that other person” approach to managing entitlements. And app-dev teams build their own version of security into each and every little application they pump out. They repeat mistakes, build silos, and fail to consume common data or correctly reflect corporate policies. If these problems with entitlement management and policy enforcement could be fixed at the application level, the threats any insider could pose would be proactively reduced by cutting off access to data they might try to steal in the first place. It’s even possible to design a system where the behavioral anomaly detection systems could be consulted before even handing data over to a user when some thresholds are breached during a transaction – in essence, catching the potential thief red handed.
Why do they get let off the hook? Because it’s easier to build walls, post guards, and gather intelligence than it is to climb right inside of the applications and business processes to fix the root causes. It’s easier to move the levers you have direct control over in IT rather than sit with the business and have the value conversation to make them change things in the business. It’s cheaper now to do the perimeter changes, regardless of the payoff – or costs – later. Again, this is not to indict the content of the article. It was absolutely correct about how people can and very likely will choose to address these threats. But I think every knows there are other ways that don’t get discussed as much because they are harder. In his XKCD comic entitled “The General Problem,” Randall Munroe says it best: “I find that when someone’s taking time to do something right in the present, they’re a perfectionist with no ability to prioritize, whereas when someone took time to do something right in the past, they’re a master artisan of great foresight.” I think what we need right now are some master artisans who are willing to take the heat today for better security tomorrow.
My degree is in philosophy; specifically I studied what would be called cognitive science or philosophy of mind. I still read papers and articles about the field occasionally as they come to my attention. Doing some pleasure reading this father’s day weekend I came across this passage in a paper called “Conceptual Problems in Memetics in a Multi-Level View of Evolution and Behaviour” which seemed to call out a problem that is worth considering for those contemplating the next generation of directories:
Consider the problems of ostension for a mother who points out and names the species of a bird that is singing in a tree to her infant child. How does the child know what precisely is being given a name: the name could refer to all trees containing birds, or all small, noisy objects, or of that particular bird, or of the underside of its belly? To avoid ambiguity, the child needs some low-level schemas, perhaps reflecting the nature of taxonomy and the economy of expression, which act as “attractors” for the acquisition of new higher-level schemas. These aspects might allow a child to surmise firstly that the mother is referring to the bird in itself, and not as part of its relation to this particular tree, or the fact that the bird happens to be singing. Secondly, these aspects should allow the child to realise[sic] that it is the “whole” object of the bird that is being referred to, rather than, say, only its underside. While the child has not yet developed a detailed knowledge of birds and their general relations to other very basic categories in the world, he or she is unlikely to expect the mother to be referring to detailed aspects of a bird.
We all know what someone means when they say “there is a need to track all the accounts and rights granted to those accounts that are associated with any specific person”. There are definitive ideas of an account, a person and a right – though a right is likely the one most likely to admit something inexact into the conversation. But these very concrete things are not first order objects in directories, they don’t have their own schema. Instead they are all persons or, worse, accounts, and the very obvious classes they fit into described in that simple to understand requirement are merely attributes assigned to them. That seems like something worth fixing. When the technical and real life descriptions diverge that much, it can never be good for your ability to get things done.
If you look at the language I’m using, my prejudice becomes clear. The concepts of object oriented programming seem to be very useful in this problem space. The idea of having a base class, like a person, and having classes that extend that to be an employee or similar flows very well. It also fits very well with reality. All these entities are people after all. And that base object becomes implemented through a schema for entries in a directory. If one organization relies heavily on contractors and another does not, it’s likely that contractors will have very different “schemas” defining them in each. If those two organization now want to share data about identity including the contractors, they may find themselves with a big job of mapping. If they had a shared basic schema that has been used by another more complex one as a parent in the more contractor reliant shop, there are well established ways for those interactions to take placed based on patterns from object oriented designs. And imagine how much better that could be using something similar to a common schema everyone used.
Doing things along these OO lines would also allow us to do more with less. Since the base classes are shared, changes to those would make their way through everything. And as new use cases arise, simple inheritance would allow for quick work making these new classes of schemas that map to the needs.
I’m always in catch up mode with my reading. I finally got to Ian Glazer’s “Access Certification and Entitlement Management” on a plane to California. If you are in the market for access certification, trying to understand how to construct and approach to managing entitlements or just want to understand the moving parts of access in any reasonably complex organization, then this is a must read. What got me thinking most was the tone of the paper. Essentially it boils down to the good advice to make sure you define boundaries for tasks well and get the people from the business who should own the information to become the owners by the end of the process. Ian also encourages you to use whatever resources you can, even if they make strange bedfellows. It reminded me very much (and I’m going to mix analyst firms here so forgive me) of Earl Perkin’s thoughts about making the auditor your friend and making sure you “care, but not too much”, which he communicated at the Gartner IAM Summit last week (and blogged about previously as well).
All this got me thinking about the actual content of such IT to business communication regarding access certification. And, since I was trapped on a 6+ hour flight with a power outlet but no internet, I came up with this small, tongue in cheek video. I know the terms will feel like nails on a chalkboard to some since they are not exact. But I really tried to exercise that “it’s more important that they get the right ideas and not the exact right terminology” notion as best I could.