One of the objectives in my trip to Europe is to consider what additional systems an Identity Management system should be supporting.
Perhaps the biggest area that is not being supported is security applications. One wonders why this is so. Being able to centrally manage Smart Cards, Certificates, and Tokens is critical in maintaining security and regulatory compliance.
Take this example, where Abdirahman Ismail Abdi, managed to resign and commit 9.2 million dollars in fraudulent wire transfers with his still active electronic key card.
From an IdM perspective, we need to realize that de-provisioning must cover all sensitive Enterprise systems in a prompt and thorough manner.
It's also not enough to say that an email notification issued by the provisioning/de-provisioning system is sufficient for anything less than a first phase in an overall Identity Management project.
By completely automating the process we make sure that everything gets done at termination time. Going with the classic provisioning arguments, we make sure it's done in a timely manner, without the chance of manual operator errors and recorded in the audit/compliance database for future reference.
Realistically, we make sure that the barn door is closed before the horse can get out.
2 comments:
Deprovisioning is one of the most important aspects of Identity Management. And just when you think you've got it nailed - See how well your system works when you need to terminate one of your domain admins (or similar IdM Super-Admin)
Very true Brian. It's something that always needs to be monitored. And you raise a good point about super accounts. Remember Terry Childs?
Also I did not touch on another potential trouble spot... Service Accounts.
Post a Comment