IT shops are typically complex and are managing an array of moving parts. Keeping identities provisioned, licensed and secure, involves endless touch points. There’s the basics of ensuring that people in roles have access to the right applications, but most orgs quickly find that they still have a lot of gaps even after they deploy and configure a well-known IGA software product. IT professionals quickly discover, many applications aren’t covered, data still needs to be managed, recertification campaigns need to be kicked off at the right time, self-service needs to be implemented. There are literally hundreds of these scenarios. Buying an IGA was just the beginning. Many IT shops decide that solving the problems is either beyond the abilities of their IGA, or requires a tremendous amount of costly custom development. This in turn, creates a new problem of documenting and maintaining custom code.
Not sure about this? Take the Random Acts of Automation Quiz with your team:
If any of these 10 questions make you take pause, then a serious team discussion in warranted.
Two choices remain: 1. Automate or 2. Stuff it into the ITSM and put bodies in place to fulfill. The manual fulfillment option is the obvious choice and gets the job done but it’s error prone, slow, and very expensive. Often, only the most painful of these tasks will get automated.
Many orgs will pursue a path that we refer to as Random Acts of Automation. When the pain becomes unmanageable, someone decides to write a script to address the problem. With an immediate win, another isn’t far behind. Then another, and it continues. Virtually every IT shop has these. Random scripts that “do something” that “someone wrote”, put on a server, and scheduled to run at certain points in the day.
Let’s be clear…these scripts can offer great relief. They are a quick fix to a problem(s) but they are the seeds of future problems.
In a nutshell… random scripts are NOT governed; and that is a major risk. Especially in a world where every organization is working to implement a governance model.
Scripts almost always run in an elevated, admin context, and they run against production systems and data. These scripts often wield greater power than the admins that wrote them. People move on. They forget. Departments evolve. Many orgs are shocked to find out the extent of their problem! Many of these scripts have been running for years and as long as the org is evolving, new scripts are likely being created to address new challenges. These scripts are prime candidates for a future breach!
How did we get here? “If it ain’t broke, don’t fix it.” There’s little desire to fix something that is working. These band aids get created, they work, the team moves on. Months later, the pain is long gone, and the band aid is forgotten. These build up. They are unmanaged, random, and therefore go undetected.
Awareness is key. Often, CISO’s aren’t aware that this is happening and so they are unable to govern it. Fixing this has to come from the top as part of a security initiative.
The old adage: you can’t manage what you can’t measure. Starts awareness. A scan of all target servers and workstations that are likely to have automation scripts is a good start. Identity the potential sources; you might be surprised what you actually find.
Next, look for the low hanging fruit: are there embedded credentials? Is this running in an admin context. Get these ones identified and on the action list.
The next step is taking measured action. To solve this, scripts will need to be co-located in a common repository where there’s some access governance. Scripts can be moved to folders, code signed, and credentials pulled from a vault. This is a big step forward, but still many controls remain missing. The organization will need to assign a capable script author and create a thoughtful implementation plan.
How will we handle auditing? How will we ensure that a script cannot be changed? How will we know if has been changed? How will we implement SOD? For these kinds of controls, typical of an ISO27001 shop, the bare-knuckles approach to automation becomes very complicated.
This is one area where products like ServiceNow have made their mark. They provide a very sophisticated, managed environment for automation. It’s one of the greatest things about ServiceNow beyond their ITSM services. A move in this direction, is an evolution beyond Random Acts of Automation. Everything is centralized, governed, secure and audited.
But not everyone needs or wants ServiceNow. There are many ITSM products and if you’re already a user of one of them, it likely isn’t feasible to make the switch to ServiceNow.
That’s where Readibots Identity Automation comes in. Like ServiceNow, The READI platform is designed specifically for IT automation. Readibots offers IT shops a choice – a cloud-based automation platform that is technology agnostic. The READI platform is an agile, cost effective and integrates seamlessly with any IGA solution (Sailpoint, Oracle, IBM, MicroFocus, Saviynt and others) and any ITSM solution (ServiceNow, Cherwell, BMC, Freshdesk, SolarWinds and others.) With the READI platform, you get secure, governed automation at a fraction of the cost.
As a bonus, Readibots has a free assessment tool that will help organizations discover their scripts and identify the highest risks. In only a few hours, scripts can be cataloged, risk ranked, and if desired, migrated into the READI platform where they will become governed as part of a greater automation strategy.
Learn more about the READI platform at https://www.readibots.com
