Had the chance to speak with a senior member of the security team at a large entertainment company this week about some of their challenges regarding access management. The conversation immediately turned to his issues with provisioning, “onboarding and offboarding” as he referred to it each time. I thought that meant we would be referring him to one of our partners in the identity management world, and quickly turning ourselves into a supporting player. I was wrong. They have a system in place to do provisioning. It’s comprised of some commercial bits and some things they built in house. He’s not concerned with the typical matters like creating accounts, disabling accounts, and maintaining records. The challenge they are looking to take on is making sure that access is right every time a change happens. They not only want to have the records be right when a change happens; they want to be sure all access is cleaned up with every change as well.
The problem with a goal like making sure access is correct is that it begs the question of knowing the state of access at any time. So what they need is a way to see exactly what access is granted to every account, how it’s granted, and all the context they can get to allow users to make choices about that access as change happens. And there is a lot of change in this organization. Since they are a major entertainment company, nearly everything they do involves a lot of contractors and temporary employees. I know we don’t tend to think about movie stars as temps, but, when you think about it from and IAM perspective, they’re pretty similar. (Maybe a bit better paid than your average temp, though.) All those contractors mean lots of accounts that are created, used for a bit, and then put on ice. They hardly ever delete accounts because they tend to work with the same people on multiple projects. But each big project has a completely different P&L and different assets to control. So they always need to recode a great deal about the details in each account (hence they built some of their own bits for provisioning). Each time the account comes back to life, it should essentially be starting from scratch in terms of access to resources. And that’s where the challenges lie. In a perfect world, every single access would be granted through groups, and every single group membership would be recorded. Then it’s simply a matter of stripping the groups. But the real world is messier and so this guy pointed out there are always hidden direct access and group memberships that were added out of the normal process.
That only begins to scratch the surface of the full problem. This guy also described their issues around freelancers, who may be brought in by their company, may be brought in by the contractor, or may be brought in by an individual as a consultant to them, and they are always the same person. The freelancer may be on multiple projects at once in different roles, too. Keeping tabs on their access is also a challenge. We talked about how our access analysis could help, and how they could feed all that into their IAM systems – commercial and home grown. That was pretty exciting for him. There’s a lot more for us to discuss, but what was eye opening for me was how keeping access neat and organized is so closely tied to provisioning events.