With our own personal identity details being proliferated on the web at an unprecedented rate, many of us are finally taking steps of our own to protect ourselves. But it is a daunting proposition to reign in what has already become a runaway train in many ways.
Lying in bed trying to get to sleep, I wonder what would happen if I woke up to find my iPhone being held to ransom by unscrupulous identity thieves. At least I’ll be aware almost as soon as it happens, and stand a fighting chance of doing something about it I hope. But what happens in a corporate context when the identity theft goes unnoticed for some time? I’m talking about things like acts of fraud or malice carried out by former employees against a former employer through access that wasn’t identified and revoked in time.
This scenario is very real now and has been for many years. One of my first major IdM projects on the old MIIS platform was commissioned for exactly that reason. That organisation was compelled by its own shareholders and stakeholders to take action in response to an attack, and fortuitously for all parties the funds were always going to be set aside to make this happen. However, almost a decade later, most organisations are still waiting for an ‘opportune moment’ to take the plunge in their own IdM initiative, and crossing their fingers that nothing sinister will catch them napping in the meantime.
I strongly suspect many organisations are foolishly waiting for someone else to magically solve their problem for them. Surely one day soon a Cloud Identity Service provider will reach out and pull them onto the rescue helicopter and save their organisation the pain of building their own solution?
I drift off to a restless sleep …
<cue spooky music>
I find myself the CEO of a small-medium sized retail firm of some 300 employees and have been in operation for just on 10 years. I have long recognised the value in relocating my rapidly expanding IT operations to the cloud, and have just taken what I considered to be the obvious step of moving to Office 365.
Like 98% of all organisations these days I already had my own ‘on prem(ise)’ Active Directory forest, and having just made the O365 move I am beaming with self-satisfaction of refusing to approve the in situ upgrade of our old Exchange mail system my CIO recommended 3 years ago. However I canned an IdM initiative at the same time, with funds being redirected to a (much sexier!) company intranet replacement with Office SharePoint and a CRM.
At the time my CIO reported that our company’s AD was in need of a redesign, and that some of the more attractive features of SharePoint (audience targeting, built-in manager org structure, approval delegations) and Exchange (dynamic address lists) were not going to be usable without this. Furthermore, AD groups and address lists had proliferated to the point where there were more groups than users. But worse still, nobody seemed to be on top of which user accounts should be active, or which now had inappropriate permissions. Despite all this, I accepted advice from a trusted vendor that a quick fix was all that was needed to ‘rationalise’ the number of groups and disable all accounts which had not been accessed in 3 months. I also recall that a quick cross-check with a dump from our chris21 HR system had identified several accounts of former employees which were also disabled.
That was 6 months ago, and since then I have been marveling at how much more reliable our email service has been, with no obvious additional management overhead now that Microsoft’s ‘DirSync’ ( or ‘identity bridge’ as we refer to it now) was quietly humming away automatically provisioning mailboxes and syncing Azure identities and now passwords with our 10-year old on-prem AD. Life is sweet, and I am now asking my CIO to look at commissioning other cloud services such as SalesForce now that Azure federated access with single-sign-on (SSO) is readily available.
The tranquility is rudely interrupted with a call from my CFO who has just been advised that the O365 license limit had been exceeded and that I need to double our number of CALs. In addition mailbox limit allocations initially selected were now woefully inadequate, despite only minimal growth in our organisation size. Worse was to come.
I now find myself reading an email from a large client that is thanking me for my advice for them to cancel their regular large purchase order, and saving them any potential embarrassment of being caught short. They tell me they were at first disappointed and confused, but are now happily signed on with a major competitor for the next 3 years. This is a huge surprise to me as I was only at lunch with their MD the previous month and had agreed on a new deal for additional product lines. Instead the email finishes thanking me for our many years as their trusted supplier and wishes me all the best.
I sit there scratching my head as to how this could happen … then I remember a conversation I had with a former employee before they left the company to join this same major competitor, where he had asked explicitly about the account and how proud he had been to introduce them to us ten years ago. The penny dropped and I realised what must have happened.
I immediately reach for the phone but before I can speak to my AD administrator to investigate a possible security breach, I wake up in a cold sweat …
I decide that my life must be far too dull to be dreaming about this sort of stuff (supposing for a minute that I actually did!). But I do wonder what it will take for people to get serious about sorting out the integrity of their on-premise AD before they go publishing it willy-nilly to the cloud. Why doesn’t everyone listen to us wise Identity folk and “bite the IAM bullet” sooner rather than later. I suspect it just comes down to people riding their luck as long as they can … and as long as they can argue that a “proper” IAM solution is out of their reach for now.
Well the good people at UNIFY have come up with our new “LITE” approach to IdM (for chris21 or Aurion HR only at this stage), so that companies like the one in my dream can have a foundation level, enterprise standard IdM solution deployed to production within a couple of days (my first site took only 3 days). They can now happily DirSync to their hearts’ content safe in the knowledge that only current staff have access to O365 and their federated SalesForce customer directory, with the added bonus of an always accurate GAL complete with manager-based organisational structure. And by the time they want to extend this to the next connected system, we can seamlessly extend to FIM2010 now or look to leverage the new MIM platform as a logical progression.