Identity and Access Management Framework Book

Dixon, Illinois is a pretty neat little town. Half dying because it used to depend on a fading farm community, but it’s got an iconic arch for a gateway, it’s the birthplace of Ronald Reagan, and it’s home to an excellent state park. My wife and I have had a couple of getaways there over the years, a ways west of Chicago.

In October 2011, Rita Crundwell, the comptroller and treasurer of Dixon, went on her own getaway, and while she was gone, the city clerk found some boo-boos in the books. Turns out Rita had been looting the town, and had stolen around $30 million over six years. The town’s annual budget never exceed $9 million.

Rita had been supporting a lavish lifestyle, including a couple of horse farms, on a salary of $80K. Nobody seemed to catch that.

Everybody had trusted Rita. She would even perform some of the duties of the city commissioners while they were unavailable. Real or digital, that’s excess entitlements.

But here’s the kicker. Kelly Pope, a forensic accountant as well as a professor of accountancy at DePaul, said that auditors should have caught Dixon’s weak internal controls. “That’s Accountancy 101, SEGREGATION OF DUTIES … the person that writes the checks isn’t the person who deposits the checks.”

My first introduction to the consequences of SoD was during a visit to a mortgage company in Pennsylvania, during the height of the real estate boom. Anybody who could make an X in purple crayon on the back of an Eskimo Pie wrapper could get a mortgage. But the client at hand had been written up when one of their officers had submitted and approved his own $2M mortgage. Hey, you gotta draw the line somewhere.

I have spent a lot of time cataloging the various tricks and traps of auditors, the ways in which they show they’re worth their money, by tripping people up on the dumbest of things. Remember, auditors are not your pals. They are there to screw with you. If an audit goes squeaky clean, it’s assumed the auditors haven’t done their job. So they will always find something. It’s like the old story in Chicago, if the health inspectors need a Christmas bonus, and your restaurant doesn’t have any rat droppings, they will bring their own.

Segregation of Duties is an easy one. People who have conflicting entitlements. A lot of organizations KNOW they have this problem, but can’t fix it simply because they don’t have enough bodies. That’s when you come up with toxic combos. “You can’t have A and B if you already have C.” In any event, there must be a set of policies, they must be regularly reviewed and enforced, and any exceptions must be documented.

And there’s your partial out. Document all exceptions. This provides you at least a temporary reprieve. The only thing worse than a violation is one you were grossly ignorant of. Take responsibility for it, document it, and mitigate as best you can. In other words, it’s okay to get caught, just not with your drawers completely down.

There’s only one place on Earth where violations are not enforced. My house. I am not allowed to pick dinner, handle the check book, choose my own clothes, determine the time to leave for church, or comment on the kids’ hairstyles.  And it all started years ago with the exclamation from the household SoD violator: “Please tell me you’re not wearing THAT to the funeral.”



I’ve been spoiled lately. Almost all my flights have been smooth since last fall. I even visited Europe for a customer this past month, and had clear sailing over the Atlantic and back. Other than one brutal trip home from Detroit in January, it’s all been good.

                But in almost fifty years of flying, I’ve never gotten used to turbulence. I absolutely hate it. My wife, who barely flies, deals with it better than I do. So I have been very lucky in recent months, and haven’t been sweating getting off the ground. And that’s how it goes. We get cocky when we go long periods without a bump.

                 I see the same thing with clients. Hacking? We’ve never been hacked. That stuff happens to other people.

                There have been some pretty high profile breaches in the last couple of months. After one of these hit the headlines, their biggest competitor called me in to discuss what I knew of the case. I had read between the lines in the newspaper coverage, and provided some analysis. But it was clear in the first ten minutes, they weren’t worried so much about securing their assets as they were about passing their next audit. Their auditors, they said, would be tougher after the recent news.

                When customers say they’ve never had anybody try to hack them, it means they haven’t been looking hard enough. “We make porcelain doorknobs, who would want to hack us?”

                It doesn’t matter who you are. If you’ve got sensitive data, somebody somewhere will know it, and they will go after it.

                It CAN happen to you. Unless you don’t let it.



Recently I took the family to the local high school to see their spring musical, “How to Succeed in Business Without Really Trying.” The guys in charge of staging these things are geniuses. The band was phenomenal. And the kids, especially the lead, were amazing. I really expect him to go places.

It’s a very old Broadway show that was turned into an excellent movie decades ago. The gist of the story is that a guy named Finch worms his way to the top by being clever, sneaky, sometimes deceitful. But he doesn’t really have to work at the process, but rather creep around it.

I more than occasionally run into organizations who try to do the same thing while aiming at security, compliance, or converting from one security platform to another, or multiple others. Part of the problem is the bottom-feeding portion of the vendor community that tries to sell its wares by telling potential clients that the answer to compliance, for example, or role management, or Segregation of Duties (SoD) is to install their crap and BOOM – they’re done. Well, obviously it’s a lie.

For example … there is NO magic bullet product that can create SoD policies on your applications for you. There are libraries out there, built on best practices, for the most common business apps, such as Siebel, Peoplesoft, SAP, etc. These templates can be digested by various enforcement tools, but YOU still have to put them in their proper place.

There is NO magic roles product. There are solutions out there that will help you discover and refine inherent roles, but certainly not create them from scratch in perfect condition. Oracle Identity Analytics, for example, can help not only with roles, but also with the anti-roles, namely SoD.

There is NO magic compliance tool. Compliance with just about any regulatory set of requirements means having to improve your processes as well as your IT solutions. It’s not just installing a piece of software. PCI compliance means putting in place policies and solutions across database, infrastructure, identity, and other aspects of your systems.

It ALL takes work. You need to prioritize, then create a plan, acquire the human and digital assets, then build, test, and execute. You might get outside help, but the liability is still YOURS. So no matter what, it’s WORK. Sound hard? Well, you balance that work against lower productivity, lower user satisfaction, higher help desk costs, higher audit support costs, and the really big one, RISK.



Recently I flew to Minneapolis, and had reserved a rental car. Because of some computer snafu on their end, the rental folks didn’t have my name on the board to allow me to simply walk to a car. I had to get in the line, where I waited more than ten minutes despite having only one guy ahead of me. I had put my preferences for a vehicle and insurance in my reservation, but the rental lady insisted on pushing more options at me. For some insane reason they put in my profile a couple of years ago that I need hand controls. Every single time, I have to tell them, no hand controls, and can you please fix my profile.

I got to my car, and sure enough, no keys in it. So I had to schlep back to the counter and wave somebody down. NO WAY I’m waiting in line again. Keys. Now. But they couldn’t get me the keys, so they gave me a different car.

The car itself was okay, although the onboard GPS was terrible. My iPhone did a far better job. In fact, the GPS had an option to get me back to the rental returns, but sent me to the wrong one. Finally found the right one, through purely human intervention, and when I got there, the return guy informed me his little hip machine couldn’t print my receipt. He directed me to the counter, where the line was nine people long. Forget it.

I went to their website, which has a link for “Find a receipt.” Only it didn’t have my most recent one. I called the reservation line to ask for the customer service line. I talked to them, and was told I’d need to speak to the actual location. “I’ll transfer you,” I was informed. But instead of Minneapolis, I ended up with Oklahoma.

FINALLY I reached Minneapolis. They put me in touch with a lady in the back office. She said she’d push my receipt to the website, and that I should go back there. Sure, it showed up, but with literally no detail. At least not enough to put on my expense account. I called her back, and she asked for my email address, said she’s send it to me directly within two minutes. Two hours later, nothing. I called her yet again, and left her voice mail. “Hey, receipt?” By end of day, still nothing.

This is a place that could do with a good ticketing system, to drive issues to resolution. What’s funny is, every person who answered a phone for me that day asked me, “How do I resolve your issue quickly?” And then not a one of them could.

 The idea behind workflow is that you have something you need to accomplish, an ordered set of steps designed to accomplish it, a timeline in which it is to be accomplished, and fallbacks in case any of the steps fails to complete. For example, I hire a guy for a sales job. He has to get all the usual stuff an employee gets access to, such as an email address, some space on the file server, a login for the 401K, and an LDAP account. Then he has to get enabled for salesguy stuff: forecasting system, CRM account, accounts receivable, and expenses. I put him in HR, and I want some magical gremlin thingy to grab that entry and send off a workflow request to get the new hire approved by a director, a business unit manager, and VP. Then I need the functional stuff, i.e. the resource owners of those individual applications or whoever else is appropriate. If at any point one of those approvers isn’t available, or waits too long to do his job, that part of the request gets rerouted to somebody else. If something gets rejected, the workflow engine decides if the rest of the request goes forward, or gets rolled back. Maybe the new hire gets all or nothing. Maybe he can collect only those pieces that get approved. I should be able to check on the status of the request, see how far it’s gotten, who’s approved what up to now, what’s gotten rejected, where the request might be stuck, and so on. Ultimately, workflow drives the entire package to some sort of completion.

This should be driven by logic, not by emails, voice mails, sneakernet.

This sort of workflow engine accomplishes three major things. First, stuff gets done. Things don’t fall through the cracks. Second, consistency. Things get done the same way every time, as opposed to the random nonsense that happens when you rely on email and voicemails. This means you can bake your policies into those workflows. I need these steps, these requirements fulfilled, these approvals, these escalation procedures.

Third, it’s self-documenting. The order is already documented by virtue of the workflow definition, and as each step completes (whether it’s approved, rejected, or rerouted/escalated), the engine generates (or at least it BETTER) an entry, a report, a notification, or some combination thereof. If something happened or didn’t, I can discern the reason.

By the way, this is even more urgent a need when you’re talking about DISABLEMENT. Enabling users coming on board is a matter of convenience and productivity. Disabling them when they are terminated, especially for cause, it a matter of security.

Workflow Is a thing of beauty. In other words, things work, and things flow. They happen, and they do so according to a plain. Anything else is chaos, or a message shoved in a bottle and tossed into the sea. Email and voicemail for user entitlements is nothing more than a hope and a prayer. And you can’t run a business, or pass an audit, based on those.



A big competitor of my company likes to buy other companies and then suck their customers dry on maintenance. They really don’t care much about keeping those customers happy or keeping them in the family, they only want the maintenance base to fund future efforts.

But Oracle, like the Borg, wants to assimilate. They want to keep customers in the family. Maintenance is great, to be sure, but happy customers are paying customers are upsell customers are references. Happy is good.

One of the acquired customer groups is the Sun customers. There are all sorts of products that Sun sold, of course, but the ones I care about are the identity and access customers. When Oracle acquired Sun, they began the process of deciding which products from both companies would stick, and which ones wouldn’t. The products to be let go were deemed “non-strategic.” The ultimate aim was to create a truly best of breed selection. In other words, cherry pick the best possible components for the future offering. So Oracle Role Manager gave way to Sun Role Manager (formerly Vaau), the provisioning connectors became a mix and match exercise, the Fedlet and Secure Token Server stuck, and Sun Identity Manager was put into maintenance mode in favor of Oracle Identity Manager (same for the access management).

Oracle’s standard for workflow is BPEL, the evolution of BPM. It’s all about process, order, logical steps, open standards. This won out over SIM’s proprietary Express scripting. Now when old SIM customers ask about the level of effort to migrate from SIM to OIM, they tell me, “We have this many users. How long will it take?”

My standard reply is, “I don’t give a darn how many users you have. How many workflow definitions do you have, and how ugly are they?”

One or two step approvals are fairly easy to translate. But big, hairy workflows with lots of callouts and circular logic, exceptions, escalations, and so on, these get nasty.

There are migration tools available. People here this term and say, “Cool, I can feed my old workflows into the tools and get shiny, new workflows.” No, wrong, not gonna happen.

The migration tools, which are free, do this one thing very well: they create an inventory of what there is to be migrated. They help point the way. They will NOT eat your SIM architecture and spit out OIM. But they definitely help. In the end, it’s a fairly manual process of redesign. Also remember, the way you did it the first time is probably in need of an overhaul anyway. I guarantee that if you COULD wave a magic wand and turn Express logic into BPEL, you’d inherit a bunch of badness. A migration, if you can charitably call it that, is an opportunity to re-examine your processes, and refine them, make them better, stronger, faster.

You can get there. You might need some help. In fact, I’ll bet you will. But you will get there. I would never lie to you.