Cockroaches, Teenagers and IAM
I met with a senior risk management executive from one of Courion’s customers recently, and he shared an analogy with me to illustrate his view that the Identity and Access Management industry has not delivered an effective solution for his organization to manage access risk for the company.
I call his analogy: “If we ran our households the way the industry tells us to run IAM.”
Don and Nancy are the proud, new owners of a beautiful 3-bedroom home in a lovely suburb. They are focused on – and maybe a little bit obsessed with – good hygiene (the result of a cockroach incident in their past). Upon closing the transaction, they descend on their new house with buckets, mops, disinfectants…the works. They spend days cleaning every nook and cranny to ensure the house meets their high standards for cleanliness. Getting it right at the start!
Concerned that the house remains clean, they educate their teenage children, Sally and Johnny, on the importance of not leaving greasy pizza boxes on their beds, or half-eaten burgers on their desks, or dirty laundry on the floor for weeks. They even make Sally and Johnny certify that they fully understand the family policies on cleanliness.
Time passes, and one spring the grandparents are soon to arrive to see Sally graduate from high school. The kids are told to prepare to sleep on air mattresses in the basement, and that their grandparents will be using their rooms. As they are going to bed one night, Nancy tells Don that she is concerned that the kids’ rooms might not be clean, that they might not have adhered to the family policies.
The next day at breakfast Don loudly proclaims: “Honey, nothing to worry about, we are clean and bug-free! I have reminded the kids how important it is to keep their rooms clean, and have reviewed with them the procedures for doing so. And I have right here,” and at this point he waves some pieces of paper, “signed forms from both Johnny and Sally in which they certify that they have kept their rooms clean as a whistle! We are in great shape!”
Two days later when the auditors (otherwise known as the grandparents) show up and bring their bags upstairs, they are shocked to find half-eaten cupcakes molding on the window sills and cockroaches ready to spill out into the hallway.
Of course, this is not how parents generally behave. They periodically observe the state of their households. They see what is or is not put in the recycling or laundry bins. They do a whole lot of monitoring – and drive immediate action when they find something amiss.
Well, shouldn’t we do the same with IAM? We make sure everything is clean up front (provisioning connected to the business processes). We have others verify later that everything is clean (business users certifying access rights). Provisioning and Identity & Access Governance are important components of an access risk management strategy, but they are not the complete solution. They need to be complemented with a real-time monitoring capability to discover the week-old bagel – in our world, issues like excessive access – and take immediate action to remediate.
So what’s the moral of the story? The IAM market must move beyond static, point-in-time controls to provide real-time access risk monitoring – and you should go check your children’s rooms!