and how you need to define what attributes you need to store in your IBoR
In this post, I want to cover Identity types and Authoritative Sources (AS). For any system, you need to ensure that you use a consistent source as accurate. What you don't want, is to use the network as a book of record.
 |
| Authoritative Sources, Identities and Credential mapping |
For each identity type, there is usually one or more authoritative sources available. Each source contains different "characteristics" you may wish to store in your IBoR for identity verification. For example, HR system may be an authoritative source of employee information, but the inventory system maintains the workstation ID of the user. If you wish to use this workstation ID for identity verification, hook it in as you would any microservices API or centralized DB.
Make sure you cover all credential types. If no authoritative source exists, you need to create one. This is were intake systems and approvals become necessary.
This is usually the first step in building out identity governance and an Identity centric approach to security.
2 comments:
Is there an suggested approach or best practices recommendations for setting up RPA with BOTS or are they considered/treated as "non-people based people" since there maybe a AI component (ie. learn-adapt-make decision) ? Any pitfalls to avoid, hidden benefits or a process that should be followed during planning/design in terms of identities versus credentials. Would you consider this a potential recipe for disaster unless planned out well, regardless of any vendor tool that offers marketing claims it's easy ?
We need to define an credential type for every credential that:
1) Has a control that is different for that credential type. (aka if you write in your control standards the need for RPA accounts 60.
2) If you need to know its an RPA account to respond to incidents. Say UEBA policy requires to know what accounts are RPA's
Your IBoR becomes authoritative. Flags can be added, but cleanup is always harder than planning.
That said, KISS principle applies, if you have no reason to call them out, why?
Post a Comment