Friday, September 14, 2007

Is there an identity management detective in the house?

I had a meeting here in Dresden with a CIO from a 500,000 employee German company. The basis for the meeting was to listen to the CIO's biggest pain points and determine how our company could help them.

The discussion was very interesting overall but especially interesting for me when he started describing the problems he was having with Active Directory identity management. When I started to drill into the problem he was completely unable to tell me who or what was changing Active Directory. In their environment it was simply impossible to know who (or what) was making changes.

The company is so political that he can't even get departments or divisions to answer the simple question of: "If you have a program or process that is creating, updating or deleting attributes or objects from Active Directory please describe."

Traditionally, our role as an ISV is to sell a product and start rationalizing the identity "crisis" for that customer. But what happens when you can't even identify who or what is making changes to an identity repository? Do you simply respond with a train load of consultants to start doing interviews and mapping processes? I guess that's an answer but how long will that take and will it be accurate and complete? (Even if it is accurate and complete I can assure you it will probably be out of date the next day/week/month)

So what do you do to help in this situation? Is there a role for an identity management "detective"?

Technorati Tags:


Torbjorn said...

This is not an uncommon situation with a political situation blocking any steps towards changing the present situation.

I ran into a company that wanted to make a TCO estimate on their present IT infrastructure.

Corporate Managment gave support to the decision, we dug in and started to work. The more we looked the more we found ending up with a total of 165 parallel IT organisations working individually throughout the Group of companies.

This is a matter for C-level managment to act on. Prior to that there really isn't anything to do to change the situation.

- Torbjorn

Anonymous said...

Technically, you could probably try and use auditing Tools like Quest's InTrust :-) to find out who is actually making changes.

Politically speaking, this won't help you a bit. What are you going to do after naming the persons doing the administration, if there is no way to get them to agree to some sort of common standard? As long as people are not willing to cooperate, the whole affair will be doomed from the start. Cooperation or the lack thereof is a part of company culture, and company culture is, to my opinion, defined by and led by example of the C-level management.

Not being an ID management person myself (just AD), I agree very much with torbjorn in that there's no technical solution to a problem whose origin is more in the psychological or organizational realm.

dimikagi said...

Assuming you get the go ahead, there is definitely an answer . . . Ethereal!

Yes, the humble packet sniffer can find a lot of this stuff if you are crafty with it. If you are handy with it, and some regular expressions, and get the blessing of your network admins and CIO, I would strongly suggest you put the packet sniffer onto a promiscuous port on one of your main switches.

Not only will you get some really interesting results, but you can track down a lot of stuff very quickly. Once you have a day's worth of packet captures, you can see everything that is in the clear, including LDAP calls (very bad), telnet session (shut those down!) and other naughty things that are probably not allowed.

And if they are allowed, you need to start reviewing your policies. Because even though you can do all this with the admins' and managers' permissions, there could be others already doing it without asking.