IAM Round Table Notes

How the Cloud creates elephants in the room

Yesterday we attended a round table session about building effective Identity and Access Management solutions. Before we got into the subject, there was an interesting discussion about who in an organisation knew who should be identified in the first place.

The obvious suggestion was HR… they would know all the leavers, starters and should keep track of all the contractors. However, HR wouldn’t know about all the staff at outsourcing companies, and if those outsourcers then outsourced. Then there was the issue of all the temporary staff that departments use on an ad-hoc basis.

The discussion moved on to contractor renewal, specifically the way that companies often renew contracts on the very last day. Some HR departments have systems that automatically remove accounts, so there is the delay in getting them re-enabled. The consequence is that contractors don’t have system access and therefore get paid for nothing, or they end up sharing accounts.

Account sharing was seen as a real risk in cloud based applications – particularly Salesforce, most companies around the table were aware of the practice credential sharing to temps during sales campaigns. The fact that cloud based accounts are not linked to companies’ Active Directory infrastructures was seen as a big issue. Sales and Marketing departments were known to be lackadaisical with account management purely because it’s work that as viewed separately to their core goals.

So here’s the elephant that the cloud creates: End User departments order applications straight from the cloud, it’s easy, they don’t need support from IT, and they can get benefits straight away. Security is part of everyone’s core goals, but they think the CISO has got it covered. The CISO can’t advise on what they don’t know has been deployed, and even when they do, it’s as an ‘advisory’ role. Now everyone knows that security is important, but no-one is doing it!

This brought the table around to thinking about whether or not Active Directories contained the truth as to who had access to systems in an organisation.

We came up with these four questions:

• How many people here believe that AD contains the truth about people and accounts in their organisations? – 11 people, none thought this statement true!
• How old is your oldest AD passwords? – Those brave enough to reply either said the age of the organisation, or the age of AD!
• How many generic accounts do you have and are they shared? – Too many and too often was the consensus.
• How many times to departments grant access to some external – ‘just for a day’? – Most departments are guilty.
• All organisations present would have to go to multiple applications to work out who had privileged access to their systems, everyone agreed that larger organisations would not be able to create a definitive list.

In closing we mused over that dirty little secret – that sysadmins changed their passwords less often than regular users, and used their privileges to ensure they could reuse passwords. Their excuse of course is that they have so many passwords to remember!

The session was over so quickly we barely had time to point out that we could help with Privileged Access Management but that’s the way of these events. Eventually we retired to the bar where great tales of privilege abuse came to light.

The whole day served as a reminder that Osirium is doing the right thing in a way that organisations can use to take their journey from privilege chaos to privilege calm. That journey would make a great blog post!

‍