Technologies and vendors come and go, and for this reason, I would like to keep this blog as vendor natural as possible. For example, SailPoint might call it your Identity cube and identify warehouse, I used the term keychain and IBoR.
For anyone that has designed any SOA based applications or database tables, this post may be obvious. For those that have not, though, there is an important intersection of IBoR and Entitlement Catalogue, I will use the term EBoR to describe. While and IBoR contains identities and credentials and the Entitlement Catalogue what is available for access (your identity service catalogue), your EBoR is who has access to what.
It's essentially a point in time report, connecting a user's identity to all their entitlements they have or an entitlement to all the users that have access to it. Who had access to this field 2 weeks ago, or what did bob have access to 2 weeks ago. Although its a point in time, the query needs to be able to run as needed, and not batched.
Depending on your decision on zero trust and network as the book of record, this should be a query from your identity management system as authoritative and not the endpoints. The reason datastores are so important for building trust.
This should also be what is certified as a 3rd lifecycle as part of the user's access lifecycle by their manager. If you pull from the endpoints, how do you know the access was gained legitimately? Rather your Moves Adds and Changes managed in your identity management system, will keep track of what access you should have and any discrepancies dealt with on the network side.
Your access request systems should be greatly simplified, for the identity of Bay Li requesting role 123, with the workflow defined for the entitlement. The business description, technical description, need for a sperate credential, approval flow, through provisioning all defined already. Role 123 could be a business role, IT role or application role.
So if you want to know who are your privileged users, today, how would you know? If a critical system has a known unpatched vulnerability, who has access?
So if you want to know who are your privileged users, today, how would you know? If a critical system has a known unpatched vulnerability, who has access?
No comments:
Post a Comment