| Subcribe via RSS

The Problem of Non-User IDs in Organizations Today

February 4th, 2016 | No Comments | Posted in General Idm/IAM, IdM Engagement

identities(The contents of this article are captured here and reflected back in response to an article posted on SailPoint’s Identity Quotient Blog article entitled “Third-Party Contractors: The Target Breach’s Bulls-eye.” I recommend reading that article to establish context for this article.)

It is fairly well known and pretty much public knowledge that the Target breach took place leveraging 3rd party credentials that were phished from an associated Heating Venting and Air Conditioning (HVAC) vendor.  This was the initial point of entry into the Target network.

However, the HVAC credentials were primarily leveraged only for initial access. Credit card data was not being accessed and syphoned using that specific HVAC ID. Nevertheless, controls around time of access and other metadata information that could be policy driven within SailPoint IdentityIQ around that 3rd party access are still cogent to the discussion as per the aforementioned SailPoint article.

What isn’t mentioned in the article is that SailPoint IdentityIQ and ideally any IdM product could and should have a very big part to play in the gathering of and providing governance around Non-User IDs (NUIDs) — testing IDs, training IDs, B2B FTP IDs, generic admin IDs (that should be privileged access managed anyway), application IDs (huge!), etc.

Organizations typically have thousands, tens of thousands and yes, even millions of orphaned and ungoverned NUIDs, in terms of overall access, proliferated, orphaned and laying dormant on end-point servers and systems…

To an attacker, an ID is an ID is an ID. Any ID will suffice in order to establish a beachhead on a system and then begin trying to “walk” systems, ideally though the elevation of access. This is typically how deep penetration and spanning of internal networks has taken place in a lot of recent breaches. When attacking a system and attempting to establish access, it doesn’t matter to the attacker whether the initial ID used is technically a normal and established user ID (with or without governance around it) or a NUID that typically is not being properly tracked and governed within organizations. In fact, NUIDs represent an ideal target due to the fact they don’t have visibility and normal and established governance around them in many organizations.
More »

Tags: , , , , ,

SailPoint IIQ: Rule Modeling in Real Java :-)

I’ve been sitting on this article and concept for months and have had others ask me about it via email — whether I’ve ever done something like this before — and well… here it is.

Tired of No BeanShell Coding Validation!

It turns out I was sitting around in my hotel room in Bangalore on India Independence Day last year, whacking away on some client code, doing some data modeling using CSV. I had a somewhat involved BuildMap rule I was working on and I was getting a null pointer exception I simply could not find. A few hours and one simple coding mistake later, once discovered, I was finally on my way. But it was really discouraging to know that if I had been coding in Eclipse, the coding mistake would have been spotted immediately.

The next thought I had was actually two-fold. While I have at times actually written test straps in real Java using the Sailpoint IIQ Java libraries (ie. jars) and dropped my BeanShell code into procedures to instantly validate the syntax, I have also wanted at some point in time to be able to simulate or partially simulate rule modeling and data modeling outside of Sailpoint IIQ using Java I had complete control over writing and executing.

So on this particular day, being particularly irked, I decided to combine those two wishes and see what I could do about having a place I could not only drop, for instance, BuildMap rule code into Eclipse and instantly validate it, but also execute the code I intended for Sailpoint IIQ against connector sources I also had connected to Sailpoint IIQ (in development, of course!) and see and manipulate the results.

Once I was done iterating my development over a real dataset, I could take my validated Java code, drop it back into Sailpoint IIQ in BeanShell and have not only validated but also working code in Sailpoint IIQ with very little or no modification.

Establishing SailPoint Context

One thing you will need if you want to run your Java code in an actual Sailpoint IIQ context outside of Sailpoint IIQ proper is establishing SailPointContext in your code. This, I will tell you, while not impossible, is not easy to do. You need to implement the Spring Framework and a lot of other stuff. If you are interested in doing this and have access to SailPoint Compass, you can actually read about establishing SailPointContext here4.

Since doing that much work wasn’t something I had the time for doing, almost immediately I decided to implement a partial simulation that would allow me to (1) model and validate my rule and (2) also allow me to model my data very simply and easily without establishing SailPointContext. I could still achieve my goal of iterating the solution to produce validated and working code to drop back into Sailpoint IIQ in this way.

The Code

Amazingly, the code for simulating a BuildMap rule, pointing it to the actual CSV I intend for Sailpoint IIQ, and simulating an account aggregation task is not that complex. Once you have the code, if you understand how Sailpoint IIQ works in general, you could conceivably re-engineer and simulate other segments of Sailpoint IIQ processing or modeling other rule types and.or data outside of Sailpoint IIQ1.
More »

Tags: , , , , , , , ,