[podcast] The IAM Garbage Plate
We hope you enjoy this episode and please subscribe to the podcast for updates on new episodes!
LISTEN HERE or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #15 Full Transcript:
Identity At The Center #15: The IAM Garbage Plate
Jeff: Welcome to another episode of the Identity at Center podcast. I'm Jeff. And that's Jim.
Jim: I'm Jim.
Jeff: You’re Jim. I'm recording live on digital tape from the Rochester, New York Airport, Marriott. That is not really about the airport. You know what? That's right.
Jim: I do, which they do have a shuttle service to the airport, so I highly recommend it.
Jeff: People here are very friendly, but it is not by the airport. I guess the shuttle service is how they are able to make that claim. But I guess it close enough. So we're in I'm in Rochester. You were here with me this week. I'm headed home today. We've got a little bit of a garbage plate of IAM topics that we're talking about today, In honor of Rochester, it's a famous dish, although I can't be too famous and never really heard about it till I came here. It's basically exactly what it sounds like. The garbage plate, fries, beans, macaroni or whatever topped with different types of meat, cheeseburger or hamburger or Italian sausage, steak, chicken, whatever meat you want on top. And then hot sauce on top. It sounds gross. People swear by it around here, though, so in honor of that garbage plate, I think we'll probably collect a few different odds and ends of IAM topics and we'll do that in honor of Rochester. Jim
Jim: I think the thing I like about the garbage Plate, is that you can have any of the items that you want and you don't want to have any items that you don't want. So in other words, you took playful things that you like. The thing I don't like about the garbage Plate is the name. I'm not eating anything that's called garbage.
Jeff: They have so much different stuff. A garbage plate is like junk plates, it's not appetizing.
Jim: You haven't named a kind of plate that I want to eat yet.
Jeff: Right. We just have garbage, nachos. And I was working in Fitzharris a long time ago, but that's just basically nachos with just everything thrown on top of them, which is, I guess the same kind of concept.
Jim: All the food that you're going to get rid of, they have different cities have that special dish, Cincinnati has one, Chili on top of spaghetti.
Jeff: And macaroni, three ways to a five way.
Jim: I like that, I like the Piemonte sandwich in the Pittsburgh thing with their French fries on the sandwich. .
Pamunkey, that's like a anybody out there from Pittsburgh, We go to email into the show and let us know if I got it right. That's like; a sandwich with French fries on it, which I think is a capable idea.
Jeff: Anything fried between bread?
Jim: Yeah, pretty much. Well, french fries Oh, as a special place in my heart.
Jeff: I think we're gonna make ourselves hungry here, should probably dive into some IAM topics. The first one that I want to talk about is something that has come up recently in one of our engagements.
That's really how you handle an access request service catalog. Set the stage on that. And it's really typically, you need a way to make requests for access and these different products that can do that, whether it's an IGA product. But a lot of companies are also using ITSM like Workday or BMC products, those sorts of things, to be able to have a way for people to go off and request access. And this is something that's near and dear to my heart because I see this as really one of the first front doors for customers of yours, of your IAM program coming in and using your services. What do you think, Jim?
Jim: By customers you're talking about like your internal customers, I really see it all the time, especially with ServiceNow becoming so popular. Maybe it's originally procured to have a service interface to request services or assets, physical access especially. So I need a phone. I need a headset.
We go in to the service catalog requesting all the workflow to make sure that it gets approved by the right person.
And then all of a sudden, it ends up as a ticket. So it's kind of a structure in terms of it's a ticket based approach and makes a lot of sense. you can see how it can be extended to use for help desk tickets, and, cyber requests, and then so a lot of times where we enter the picture, it organizations already taken many steps and they say, well, the next natural extension is to have the IP service management system available to request Saga access, so to request rolls and accounts on various applications. And that's where I think it maybe goes a step too far. And the reason I say that is that, well, if you take a step back, you own your organization that doesn't have the concept of a service catalog or ITSM.
You take a picture of, OK, what you need from identity management and it's the full lifecycle. And Sergeant with the concept of having one place to go to move those resources to what having that picture of all the access that you have in the environment as not does what access you provisioned right from your starting point.
So in this case, say your ServiceNow is OK, provisionally accounts, but other access may exist in those applications that you don't have a full picture of. So if you only go to your service catalog, say, hey, we just you know, I know my point of jumping forward. You're a little bit we walk somebody out today. Jeff is no longer an employee. We need to make sure we put off all this access. Give me a report of all the access he has, if I said. Well, here's all the access that we gave him out of ServiceNow, that's not the full picture necessarily, maybe it is, but it probably isn't. Jeff, probably accumulated access through initial onboarding or maybe prior to the ITSM system being set up or maybe by some backdoor provisioning process that bypassed ITSM. So the modern day identity governance is pulling all that in and correlating it with an identity from an authoritative service, so maybe the system will be able say here is all the access that Jeff has.
So I guess where I'm going is that my big concern is that, implementing an ITSM system isn't going to get you. They don't have the Identity governance capability. So you're going to use both. You have to figure out a way to integrate them so they work together.
Jeff: Right. That ticketing system is really just a point in time of when access was requested but not necessarily fulfilled. Good for audits, etc.
But any audit is going to then compare that against the lifecycle system to see if that in fact that trail still holds true, so if something happened out of band, it may not be captured in the ticketing system. But when it comes to making the requests, that's where the act is kind of comes in. And, if there's a few things that I've jotted down as a sort of key to making sure that service is accessible and makes sense for the user and something they would they would want to use. And I think the first thing to consider really is data quality going into that system. So a lot of times we'll see applications that have really poor data quality. Sometimes it's even just active directory. And by the data quality, I mean not very business friendly from a group name, lots of slashes and dashes in the name, acronyms, things that maybe don't make sense for the normal user and is more or less. Can IT speak? So I think one of the first things that I like to consider when building out an access catalog is how you do standardize the information coming in and how do you come up with business friendly descriptions to be able to make it easy for people to find the access within that catalog?
The second part is really around ownership of those catalog items, So when it comes to an entitlement, my belief is that everything should have an owner and the owner should be on the business side. The business owns the data and they should be part of this process to help you develop the service catalog for their applications and their data. A business may elect to delegate the approval function to someone else. I think ultimately what you want is to have a partnership with the business to make sure that the items that are being loaded for sale essentially in your shop of IAM is meets their requirements and makes sense for the users who are going to be accessing that. And if the business is on board with that, especially when it comes time to do reviews, approvals, etc... it needs to be clear that it's not just an I.T. problem. There's very well a chance that I.T. might also be the business owner in case of a good I.T. resource. But you want to make sure that the business is represented and owns that entitlement. What are your thoughts on that, Jim? Have you seen issues where the business maybe doesn't want to be involved with that or does want to be involved with it and those taken an interest into it?
Jim: I think you need to be clear about what is the expectation in terms of roles and responsibilities. My philosophy is that IT cannot decide who gets access to what is not appropriate.
The business needs to decide who gets access to what. However, oftentimes I-T organizations are there.
I believe that 80 organisms have responsibility is to provide the tools to make that a reasonable effort to manage who has access to work. And I see a lot of times that I just don't have tools or haven't rolled out the tools and to say to the business, you own, this responsibility is kind of unfair ask. I think but I want to go back to the first point that you're making about Active Directory, and it just sparked a thought that I remember. So my entry way into I.T. was MCSC, and empty 4.0. So this is going back in the late 90s. And, my interest area was directories and P.C networking.
And this was the time when Novell was still by far the champion over Microsoft. We all know how that story ended, And in Windows 2000, which was the first initiation of Active Directory there ever, the first actor directory that ever we created was essentially an upgrade, pulling over all the groups that existed into Windows 2000. And, I've seen kind of over and over again that, the need as you go from version to version is to get all the groups of arrays that you have a project to go for, one versions of the next.
And you just keep dragging along all of the bad checks that you've read at some point. You can take time to clean it up. But what happens is that doesn't get cleaned up.
And part of what doesn't get cleaned up is that there's a fear. What is that group being used for? We don't really know what that group's being used for, and that kind of goes to your point of assigning an owner and having metadata around your group. So you know what they're being used for so that, if you read, hey, this is a group being used for Jadie Edwards. We don't read. We don't even use Jadie had resigned more. So you'd probably get rid of this group or that group is owned by John in accounting. We talked to John and say, do you guys ever use this group anymore? So I think having that medi- data is important. The other thing that came to mind is, in talking on the access catalog is that especially in larger organizations, the idea of doing manual administration of the access catalog. That's quite a burden. I don't think we ever get away from having some manual requirements, but I do think that, in terms of when new entitlements are created in the application, somehow they need to be brought in to use your access catalog in an automated way.
And then there needs to be some kind of alert or something that goes back to a person who can then act on and say, OK, new entitlement is called group ABC? And, we pulled over some Medi-data, including the owner of the group, or maybe that was fine, but we don't decide.
It is as a group that can be requested and maybe need to follow up to see if that group needs to get assigned to certain roles.
And I also think, the idea a mainly is that you've got to get the group into to the access requests and then you have to enhance it with things like, essentially managing do the…
Jeff: ideally, like I said, it's automated. I don't think you get, as you mentioned, fully out of the manual business of maintaining an access code.
There's always stuff you want to pull in and the data you're pulling in typically depending on the product.
You'll be able to apply a little bit of a translation to it, pull it in and have like a little technical underpinning behind it.
And then on top of it, you've got the business friendly component of what is this group actually mean and who's the approver.
But I think it brings out an interesting point as far as when new groups get created. Part of the hygiene that goes into just creating, let's say, an active directory group is to work with the teams that are creating those groups. Windows, Admins, etc. server Admins and work with them to collect all the data that's needed to make sure that when it gets into the access catalog, you know who to contact.
You know who's the owner for it? What's this group used for, etc. so that you're not starting from essentially zero, when a group gets created that's done after the fact. Or maybe it's done separate from whatever project is done to imports, maybe a mass group of them, etc...
Jim: That's absolutely correct. They thought we'd be there, you’re managing a system and you say the system is integrated with your service or your access request system. In other words, you can't get into a group, ABC unless it goes through this workflow chain, you're just automatically provisioned or a ticket is issued, then the business says, okay, we created the group in so Salesforce, but at the same time we need to go back in to our access request system or access catalog and make sure that that entitlement gets request. Now, whether or not thing goes self-service and manage things in the access catalog. Probably not, although maybe the business has to kind of be bought into that process and, go ahead and create your entitlement. It's going to get pulled over into our access catalog again, in origin to make a request symbol, you have to go through and provide it. Do they like who's going to approve that role?
Who's the owner for that role?, etc...
Jeff: Yeah, and it finally work off it pretty well. That's how I've done in the past is here's all the roles and here's all the entitlements, let's create corresponding business friendly descriptions around it owners and work with the business. Say, OK, here's this access, here's what it does is this description makes sense.
Do we need to make tweaks to it, etc.? And then I like to have the business act as the you know, the sign off to say, OK, are you good with this data?
This is what we're going to use to make there for people to make requests your application. And if you're good with it, then we'll move it into production, so to speak, whether that means, some sort of flat file import into the ideas and or ticketing tool or IGA tool or manual data entry, if it comes down to that.
Jim: I do think, so kind of where we started this catalog that I think a lot of organization you want to use your IP system from a user experience standpoint is one place to go to access or to request of the system should really do a really good job of workflow, I've seen some of those systems that have fantastic user interface.
So BMC digital workplace tool man is that agree user interface is very similar to an Amazon checkout type experience. The thing is you from my perspective is that where it falls short is that there's not a full IGA system, so you're going to use that to request saga access.
You need to still close the gap around, the ultimate, this is Kind of my perspective on IAM overall is that the most important thing about having a good IAM architecture is being able to answer the question of who has access to what, another word to, if I'm in charge of IAM and someone rightfully comes to me and says, what access to Jeff Steadman have, I should be able to pull up a screen and say, this is everything that he has everything of significance anyway, so view of things that you've determined are not significant.
In other words, they don't pose any risk to the organization, so you can track them fine.
But everything has significant. So it has some risk associated to the organization. I should be able say this is what Jeff has access to. Because if the next statement that they make is OK, well, Jeff left the company five minutes ago let's make sure we shut that all off. Then boom, I can go in and kick off the shovelful ball that explains whether it's automated or is issuing tickets or or whatever.
Jeff: But having that awareness right off of what I had when I left, that's key. And it stretches beyond to logical access, right? It can end in a more mature environment
Construction too physical, what are the different devices that were assigned to me? Credit cards, laptops, phones, I.D. badge? All those things ideally would be assigned to me. I think one thing that gets lost I shuffle some times are the accounts that I might have shared with other people. And that's where privilege access management tool really does a good job.
If you're vaulting credentials that I might share with other folks, service accounts, admin accounts, those sorts of things makes it an easy way to rotate that password so that you mitigate the risk of the individual who's left being able to still access resources that maybe weren't directly in my name, but that I would still have access to on your every once in a while a story. Assistant Administrator left and locked something up. I think San Francisco was a city that had to deal with that not too long ago. Maybe a few years ago, those shared accounts are definitely a risk area that you want to be able to address as well.
Jim: Well, like we talked about in a previous podcast.
It is not a matter of if it is a matter of when something's going to happen. And then it’s, if somebody does compromising account, if they're willing to do bad things with the account, they're not going to say, hey, I've got an account. So that person could be in the network and doing things for, on average set data breaches aren't discovered for about a half a year. And that's a number that stayed consistent over the years. So lots of different organizations have done the same the same type of analysis over a couple of over the past decade.
And that time is not really shrinking the amount of time it takes to discover that you've been breached and it takes about on average two and a half months to 75 days to actually recover from a breach or not recover, but just actually close the breach, you may never recover completely.
Jeff: Yeah, its reputation, if it harms reputation enough, that could be the end of it. And there are certainly financial penalties to pay off of it. You know, just from cleanup costs, etc..., but also from stock values, etc. So I think sometimes people are looking for justification as to why you do IAM, that's one of the reasons. It's not a matter of if, but when and when it happens. You want to be able to identify the problems quicker. You don't have been able to spot problems faster and remediate them faster and be able to address the gaps that might be out there. And IAM is a critical component of that.
Jim: It's just taking like over the years of having talked to people about data breaches and, maybe 10 years ago, even five years ago, talking about them is like its fear, uncertainty, a doubt one factor that you're just trying to get money for security by scaring me or the reality is you should be scared, you should be very scared. And so maybe it's sometimes fever just can’t listen, because they think that you have a motivation.
Now you're a consultant. You're trying to sell security software.
Usually we're not in their shoes of trying to sell something, but still, we are consultants in this industry. But the fact of the matter is, like a new breach pops up, It seems like every day or at least every week there is a new security or data breach, I think last week, So that's something that I think we should podcast about when more information comes out, but I think that's it's not just fear, uncertainty, doubt. It's very real. And when you just started showing, hey, within your industry or very similar industry, it does seem to hack taken place recently, and it's something that should be paid attention to and is getting more attention paid to.
Jeff: You don't want your company to be associated with a hack, when you think about Target. Right now, it's kind of like one of the first big ones where now it's you say the target hack. And most people in the industry know exactly you're talking about. You think you want to be to have that association. I'm sure Target has done things to get things cleaned up. And but they're still recovering. They’re still trying to recover the name and the reputation from years and years ago when that took place, So that's one of the things that I think about as well.
Jim: Yes, I agree.
Jeff: Let's see, what else can we talk about as part of this garbage plate?
What about other things around ITSM and IAM? Are there is anything else that you want to bring up on that?
Jim: Well, so, yeah, I mean, again, I respect the perspective when an organization wants to achieve one place to go to request stuff and really leverage our investment in ServiceNow. And what you see is companies like ServiceNow, people were or companies in the ITSM space are looking at this and saying organizations want to use our software for this. So we should start building functionality.
Thing is where they are today. They have a long way to go before they do what an identity governance solution can give them, so at some level, you end up with both.
The question is how do you integrate them?
Do you do a full on integration so that you feel like, it's really how much do you do to achieve that feeling that I have never left? I never had to leave this application. I never had to leave ServiceNow. And they got everything I needed vs. I go to one place and there's a kind of a dashboard look and feel. But, one of the buttons is request access. And when I do that, it's pretty clear in a different system. I think that second approach makes more sense and rather than trying to do a deep integration, whereas more of API type integration. And the reason is that I feel like changes in these systems are going to happen so fast that you're going to be in the business of integrating these two systems for in a big way for years and years. If you tried to go down that road, I think you're better off saying IGA tool is going to do access requests for, you know, secure for cybersecurity. Getting accounts or I-T systems and our ITSM system is going to be where your quest physical assets and maybe physical security.
Jeff: I think the line is a little bit blurry. She had asked me 10 years ago and I said, yeah, there's no way in ITSM tool can support approval functions that we need the security of the data going back and forth because it may be I.D., passwords, etc. And the interface just wasn't very good. Now the interface, I think I've caught up and I think the question is where does the line get drawn between access request and access fulfillment and access fulfillment from a automated standpoint? Can you use Workday, for example, as the front door, handle all the approvals and then hand that over to an IGA product to do the fulfillment in an automated fashion? Yeah, there are probably cases where that would work.
But I think that's where the line is, is starting to become drawn is where does that where does the fulfillment take place? Something's off the manual didn't take it. I've taken the approach of thinking of, okay, it makes sense to have everything kind of one stop shop, but. We have to understand if there are any sacrifices that we're going to have to make for that, or is that does the IT central; have the capability to delegate approvals, vacations out of office, different people for a approvals depending on the access request type those sorts of things. And then how do you handle things that are not IT. So if you're using your IGA platform to onboard somebody. Are you integrated to the level where. You know what? We just got, let's say a Workday feed came in. Here's you know, here's a new hire. We went off and create their active directory account and some other accounts. Do we have the capability from the IGA side to push information into an ITSM tool to handle other onboarding activities? , his person needs a laptop. We create their e-mail address. Here's the e-mail address, here is the domain name, now
That is the something that you support people who handle physical devices. They get a ticket. And it came from the IGA side as the source of the information, not just the receiver. So I think there's a lot of interplay that can happen there. No I.D. badges, credit cards, et cetera. And Nevada State is, someone joins a company and most things are automated. And there's really no reason for a manager.
They have to submit a ticket for boarding the real estate. Is that most companies still have to have a manager or H.R. or some other person in the process submitting tickets for all this stuff, which is tedious and, prone to being forgotten. My favorite when I was in this role was, you know, hey, it's Friday and 4:30. And, some managers come to me and say, hey, I forgot. I've got six contractors all starting on Monday. It's OK. Well, thanks for that. So I guess I know what I'm doing for the next few hours, later on a Friday night, get these guys set up. But yes, you can avoid that situation through automation, but being able to tie together your IGA and your ticketing systems. I think that's really where most companies want to go. But you just have to recognize the strengths of each platform and play to each of those. And there may be times where you do want to settle on one application and kind of do that, but you have to understand what you're giving up in that scenario.
Jim: When it comes to kind of what the I.T. systems tool gives you is going to give you a platform for making their progress and making the workflows is not going to give you a full database of what you just sell there. And even when it comes to assets, it's like the assets. So the provision is going to be able to give you a record of them, but it's not an asset management system. I think that's kind of the same thing when it comes to cyber access. It's going to be is a great interface for requesting access.
And I think a lot of the systems in the ITSM, Shays, have now gotten really good at issuing tickets to go ahead and complete provisioning.
The reason there's some automated provisioning to be can point to Active Directory, how they adopt for identity management systems are not going to tell you who has access to what. And so I think they serve an important place. They support an important function.
But it's not to be all and end that's my opinion. And I'm sure there are people out there screaming up to the radio or whatever they're listening to this podcast, so that's great.
I'd love to hear some feedback because honestly, this is an industry that's evolving so much.
And what we do is we constantly bring taken so many different perspectives, marry that up with our own experience and formulate opinions. Those opinions change over time.
Jeff: And seeing what works and what doesn't work. All the organizations that we work with, I mean, it's always an interesting struggle and I can certainly appreciate both sides of it, and my thought has gone back and forth. That's the great thing about opinion is they can change. The facts change. And that’s typically the way that I approach it as well, I guess, at the very base and a ticketing system is not necessarily an IAM system. That's just the way that I look at, I think that's probably a pretty good spot to leave it for this week. Appreciate you jumping out with me, Jim, and.
Jim: It's my birthday Jeff
Jeff: It is Jimmy Mack’s birthday. He has graciously donated an hour of his time on his birthday, which, we all appreciate. I hope you have a good birthday. I know I'll be seeing you next week.
Jim: I have it every year, so that's not a big deal
Jeff: We'll catch you again next year.
Jim: I hope we're still doing the podcast.
Jeff: I'm sure we'll the enterprise where we're doing our best to try and keep up with the weekly schedule, so far, so good. Couple of times behind the scenes has gotten a little bit close.
Jim: Jeff, People are appreciating the podcast. I want to see us keep doing a couple of things that they can do to help make sure that keeps happening. One is our mail bags or questions@ identityatthecenter.com
That's e-mail, right. But you can also go to our Website or send an e-mail, the other thing is obviously a rate review of the podcast, Flag stars would certainly be appreciated.
Jeff: Share with your friends, help us grow the audience kind of helps provide some validation that somebody is listening to us out there. We're still a terrestrial podcast, so looking for our first extraterrestrial.
Jim: I think would be really cool as well, we can start to build some community around the podcast and try to take some time to formally, but then we have little meets at the major conferences. So like Identiverse and Gartner, you suddenly get a little meet up. So, people have a big part of what makes our IAM practitioner community what it is the ability to meet the space and build network and bounce ideas off each other.
Just so you learn as to know what other people are doing and what kind of experiences they're having over that over the period of time, over the next year, maybe my next birthday or more the position they really call it a community and start having some of these meets up.
Jeff: Yeah, that's interesting point. I mean, where Jim and I are both going to be at the Gartner IAM conference in Las Vegas in December if you're gonna be there and you're gonna say hello and commiserate or just chatter. Just bump whatever it is. Shoot us an e-mail, firstname.lastname@example.org and maybe we can make that a thing. Who knows? Maybe we may be able to do some life podcast report or a recording while we're out there where Jim and I are always constantly trying to figure out ideas on how to make this entertaining and informative and inclusive of folks. So if you've got questions or ideas or if that's something that maybe sounds interesting, so hit us up on email and we read them all and we get back to everyone.
So with that public service announcement, I think we'll call this garbage complete and cleaned. Happy birthday Jim. And we'll talk to you folks on the next one. Thanks.