Management is the noun for the verb, to manage or managing. Put differently, what differentiates a good vs bad IAM anything, is how well you manage identity and access. I once was present when a CISO explained what a control really means to a CIO relating to a need to clean up. It struck me in its simplicity as they explained "a control is something we put in place ensure we control or manage something correctly. We are then audited to show the effectiveness of that control and if we fail to clean up, it shows a lack of control and therefore a gap in our controls". This is not a career for sitting and writing a document (or a blog), standard or risk assessment and go home. It's about systems, integration, accuracy and showing control.
Good management systems work in a closed-loop. The management system manages the system or network endpoints and in return reconciles the system or network endpoints with the management system. This loop is closed when any differences are addressed in order to ensure that the systems remain in sync. Should something, for example, change on the system or network endpoints that the management system did not manage, the incident should be investigated. For example, a user is added directly to a database and not via the management system. Since the management systems were not aware of this user been added, you now have two systems giving you a different view of users on the database. Reconciliation should be a change to the system that is not the book of record (BoR).With our security hats on, if a user is suddenly added to the database without going through the management system, it was likely not requested/approved/provisioned legitimately. This would indicate a high likelihood of malicious intent. (Note: this is given your management system is not so poorly designed, that the business chooses to ignore it, or the accuracy of the data in the management system been too poor to trust.)
Given the attack surface of a management system vs endpoint, and the purpose of these management systems, in IAM it should usually be the BoR (Book of Record). As the book of record (BoR) on finding a difference, of the user with access to the database in the example above, the user should be removed from the database and not added to the management system during reconciliation. If this process is in place, you have "closed the loop"
This is different than say a SIEM, where you usually use the system or network endpoint as the book of record, as you not managing the endpoint, but alerting to changes on it. This difference is why I wrote the post "What's your Book of Record?"
No comments:
Post a Comment