Where are the controls

I got this "joke" email from a family member, which I think proves some interesting points in the field of Identity Management, especially where governance controls are involved:

Outside the Bristol Zoo, in England, there is a parking lot for 150 cars and 8 coaches, or buses.

It was manned by a very pleasant attendant with a ticket machine charging cars £1 (about $1.40) and coaches £5 (about $7).

This parking attendant worked there solid for all of 25 years. Then, one day, he just didn't turn up for work.

"Oh well", said Bristol Zoo Management - "we'd better phone up the City Council and get them to send a new parking attendant..."

"Err ... no", said the Council, "that parking lot is your responsibility."

"Err ... no", said Bristol Zoo Management, "the attendant was employed by the City Council, wasn't he?"

"Err ... NO!" insisted the Council.

Sitting in his villa somewhere on the coast of Spain, is a bloke who had been taking the parking lot fees, estimated at A£400 (about $560) per day at Bristol Zoo for the last 25 years. Assuming 7 days a week, this amounts to just over A£3.6 million ($7 million)!

So what's the point here? Without governance controls anyone can come in and rule the roost. There is no accountability, control or record. I know I've been harping on this a lot lately, but it just seems to me that if controls are not in place and a means for reviewing the implementation and usage of the controls, anyone can walk away with the keys to the kingdom as it were.

This is much like what happened with Abdirahman Ismail Abdi or even Terry Childs, both of whom I have commented on before. If either one of them had been subject to some sort of governance process it would have been much more difficult for them to execute their schemes.

After all, you know what they say, "a million here, a million there and soon we're talking about real money."

Promising News

Had an interesting article cross my email today from techtarget.com. It nicely dovetails with discussions I've had with many in the IdM and Security fields.

The basic fact is that businesses save money when they implement Security and Identity Management projects. The costs of one security breach, password exploit, compliance violation, etc. dwarfs the investment and maintenance of a sound enterprise security infrastructure.

I found it interesting that the experts quoted in the article specifically referenced, encryption, compliance and Identity and Access Management technologies. I would also recommend the use of SSO technologies which make it easier to enforce password policy and promote compliance.

In the war of data security, a good defense is the best offense.

The Yo-yo theory

I was talking to someone the other day about the economy and how IT and security are affected by it and I made the following observation and analogy:

Everyone knows IT spending is important and can result in real benefit to the company however, there's a tendency to use yo-yo budgeting.

When things get tough, the yo-yo is dropped as spending slows and we expect IT to run on the bottom for as long as possible, but eventually we need to catch up and snap the yo-yo back up and we catch up on technology.

Maybe the reasoning is a bit simplistic (after all I'm an IdM architect, not an economist) but I think it holds up and I'm pretty sure that this model would extend beyond IT as well. I'm wondering how much the model holds, does a slower decline mean you can stay down longer or not? Does each department have it's own yo-yo?

Where's an economist when you need one?

Central Management

One of the objectives in my trip to Europe is to consider what additional systems an Identity Management system should be supporting.

Perhaps the biggest area that is not being supported is security applications. One wonders why this is so. Being able to centrally manage Smart Cards, Certificates, and Tokens is critical in maintaining security and regulatory compliance.

Take this example, where Abdirahman Ismail Abdi, managed to resign and commit 9.2 million dollars in fraudulent wire transfers with his still active electronic key card.

From an IdM perspective, we need to realize that de-provisioning must cover all sensitive Enterprise systems in a prompt and thorough manner.

It's also not enough to say that an email notification issued by the provisioning/de-provisioning system is sufficient for anything less than a first phase in an overall Identity Management project.

By completely automating the process we make sure that everything gets done at termination time. Going with the classic provisioning arguments, we make sure it's done in a timely manner, without the chance of manual operator errors and recorded in the audit/compliance database for future reference.

Realistically, we make sure that the barn door is closed before the horse can get out.