Two Hard Problems in Identity Management – Part 1A Bit of Security for July 18, 2024
Today, we’re diving into the deep end on identity management. I want to focus on two aspects of an identity management rollout that often lead to wasted resource and frustration. The first is how to handle transitions, and the second is the value of role-based or rule-based access control.
Early IdM tools oversimplified the process of changing a user’s permissions. They treated any change as a simple add or delete, and enforced rules prohibiting inconsistencies. In the real world, changes occur over time, with conditions. For instance, when I moved from Boston to Poughkeepsie, I registered to vote (it was an election year) as soon as I got my first utility bill (proof of residency). But I held my valid Commonwealth of Massachusetts driver’s license for another month. A simple IdM solution would have either invalidated my driver’s license or prohibited me from voting! But in fact, that inconsistency was perfectly allowable, because when you move you have 60 days to get your new driver’s license. When a person changes a role, they may lose certain permissions immediately, and others later, perhaps after finishing a project. Thy might pick up new permissions immediately, and others following some kind of certification or background check. And other permissions may persist across the transition unchanged.
Separation of duties require that the actual set of effective permissions are aligned with the user’s role and duties. When a situation rises that would violate separation of duties, the appropriate action is to treat the apparent violation as a form of request, and process it as such. For instance, once I worked as a development programmer at an insurance company. There was an emergency caused by a code bug. I had to develop and turn around the fix quickly. I did the code, had it checked by a peer, and then had to move it into production. But developers didn’t have access rights to the production systems. To allow the fix into production, the operations team had to shut off logging and access control restrictions until my change was in the production library. We fixed the doc manually later. A wiser course would be a tool that took a request for access that violated SOD as a weird request, and send it along to the folks who had the power to grant such a deviation – my boss, the shift supervisor, and a security rep. They would vote collectively to approve it, and the anomalous access was granted, for a fixed time, and once the task was done, the access was revoked. Note that we had full logging of the event – no gap in the record.
As for rolls, consider the experience of organizations that have tried to apply full detailed roles (and the same happens with rules, too, by the way). At MIT there was a pool of about 9,000 grad students, administration, and research faculty. After analyzing the access patterns, the organization ended up developing 14,000 roles, and the average user had about eight. Note that if the problem is 9,000, the solution should not look like 14,000. Roles do work when they are broad and general, and can be superseded by effective detailed permissions. For instance, a retail bank might have a large number of tellers, all of whom have similar permissions. A junior teller has access to certain applications, and after a trial period may get access to more. But once you get outside the domain of very well-defined jobs, roles only get in the way. What is the proper role for a middle manager in a small enterprise who handles production one day, sets in on a marketing meeting the next, and gets call from a customer executive on the way to the meeting? Excessive role infrastructure only gets in the way. Six or seven should do it.
Two Hard Problems in Identity Management – Part 1
A Bit of Security for July 18, 2024
There are two hard problems in identity management – changing a user’s permissions, and deploying roles effectively. This talk will discuss solutions. The next talk will look into why Identity Management problems are so hard. Listen to this -
Let me know what you think in the comments below or at wjmalik@noc.social
#cybersecuritytips #IDM #IAM #identitymanagement #BitofSec
Музыка
Фильмы
ТВ Шоу
Категории видео
