IT shops are typically complex and managing an array of moving parts. Keeping identities provisioned, licensed and secure, involves endless touch points. There\u2019s the basics of ensuring that people in roles have access to the right applications, but most organizations quickly find that they still have a lot of gaps even after they deploy and configure a well-known IGA software product.<\/s> IT professionals quickly discover, many applications aren\u2019t covered, data still needs to be managed, recertification campaigns need to be kicked off at the right time, self-service needs to be implemented. There are literally hundreds of these scenarios. Buying an IGA was just the beginning. Many IT shops decide that solving the problems is either beyond the abilities of their IGA, or requires a tremendous amount of costly custom development. This in turn, creates a new problem of documenting and maintaining custom code.<\/p>\r\n\r\n\r\n\r\nTake the Identity AutomationQuiz!<\/h2>\r\n\r\n\r\n\r\n
Not sure about this? Take the Random Acts of Identity Automation Quiz with your team:<\/p>\r\n\r\n\r\n\r\n
If any of these 10 questions make you take pause, then a serious team discussion is warranted.<\/p>\r\n\r\n\r\n\r\n
wo choices remain:<\/p>\r\n\r\n\r\n\r\n
1. Automate or<\/p>\r\n\r\n\r\n\r\n
2. Send it \u00a0the ITSM and manually fulfill<\/p>\r\n\r\n\r\n\r\n
The manual fulfillment option is the obvious choice and gets the job done but it\u2019s error prone, slow, and very expensive. Often, only the most painful of these tasks will get automated.<\/p>\r\n\r\n\r\n\r\n
Many organizations will pursue a path that we refer to as Random Acts of Automation.<\/em> When the pain becomes unmanageable, someone decides to write a script to address the problem. With an immediate win, another isn\u2019t far behind. Then another, and it continues. Virtually every IT shop has these. Random scripts that \u201cdo something\u201d that \u201csomeone wrote\u201d, put on a server, and scheduled to run at certain points in the day.<\/p>\r\n\r\n\r\n\r\n Let\u2019s be clear\u2026these scripts can offer great relief. They are a quick fix to a problem(s) but they are the seeds of future problems.<\/p>\r\n\r\n\r\n\r\n In a nutshell\u2026 random scripts are NOT governed and likely not documented; and that is a major risk. Especially in a world where every organization is working to implement a governance model.<\/p>\r\n\r\n\r\n\r\n Scripts almost always run in an elevated, admin context, and they run against production systems and data. These scripts often wield greater power than the admins that wrote them. People move on. They forget. Departments evolve. Many orgs are shocked to find out the extent of their problem! Many of these scripts have been running for years and as long as the org is evolving, new scripts are likely being created to address new challenges. These scripts are prime candidates for a future breach!<\/p>\r\n\r\n\r\n\r\n How did we get here? \u201cIf it ain\u2019t broke, don\u2019t fix it.\u201d There\u2019s little desire to fix something that is working. These band aids get created, they work, the team moves on. Months later, the pain is long gone, and the band aid is forgotten. These build up. They are unmanaged, random, and therefore go undetected.<\/p>\r\n\r\n\r\n\r\n Awareness is key. Often, CISO\u2019s aren\u2019t aware that this is happening and so they are unable to govern it. Correcting this has to come from the top as part of a security initiative.<\/p>\r\n\r\n\r\n\r\n The old adage: you can\u2019t manage what you can\u2019t measure. Starts awareness. A scan of all target servers and workstations that are likely to have automation scripts is a good start. Identify the potential sources; you might be surprised what you actually find.<\/p>\r\n\r\n\r\n\r\n Next, look for the low hanging fruit: are there embedded credentials? Is this running in an admin context. Get these ones identified and on the action list.<\/p>\r\n\r\n\r\n\r\n The next step is taking measured action. To solve this, scripts will need to be co-located in a common repository where there\u2019s some access governance. Scripts can be moved to folders, code signed, and credentials pulled from a vault. This is a big step forward, but still many controls remain missing. The organization will need to assign a capable script author and create a thoughtful implementation plan.<\/p>\r\n\r\n\r\n\r\n How will we handle auditing? How will we ensure that a script cannot be changed? How will we know if it has been changed? How will we implement SOD? For these kinds of controls, typical of an ISO27001 shop, the bare-knuckles approach to identity automation becomes very complicated.<\/p>\r\n\r\n\r\n\r\nRisk!<\/h3>\r\n\r\n\r\n\r\n
History<\/h3>\r\n\r\n\r\n\r\n
Discovery<\/h3>\r\n\r\n\r\n\r\n
Management and Governance<\/h2>\r\n\r\n\r\n\r\n
Going Forward<\/h3>\r\n\r\n\r\n\r\n
Identity Automation Platforms<\/h3>\r\n\r\n\r\n\r\n