- Identity Jedi Newsletter
- Posts
- The 60th Edition of the Identity Jedi Newsletter
The 60th Edition of the Identity Jedi Newsletter
We need new SOX, you need a plan
Hey Jedi welcome to the 60th edition of the Identity Jedi Newsletter! It’s a Friday edition as life got the better of me this week. We are almost to 2024 Jedi! Can you belive it!? Time to start checking those goals for the year, and thinking about how we are going to dominate 2024!
Let’s Get to the Good Stuff!
Time to change SOXs
IAM Pre-Planning
WHAT’S HAPPENING THIS WEEK
Time to change SOXs
While we’ve ridden the back of SOX for years to drive marketing and sales around IAM projects, it’s time we take a hard look at what SOX is and what it isn’t.
Let’s start with the latter. IT ISN’T a security control.
GASP!!
The Act contains provisions affecting corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting fraud and corruption.
SOX is about corporate governance regarding financial disclosures of public companies. Making sure that companies have sufficient controls around systems that affect the financial data of a company and ensuring that there are processes in place to prevent fraudulent activity. Ya know, like filing fake accounting records, showing profit that isn’t really there, hiding toxic debt, etc. For my young readers who may be thinking..would a company really do that? I give you Enron.
But I digress..
None of this has anything to do with identity security controls. But yet, because of the 20+ years of building a market around SOX compliance, we kinda made it seem like it did. This leads customers to focus only on applying controls around the applications that affect financial data, thus making them compliant. Thus, making them secure….right?
Don’t get me wrong SOX is needed, and should continue to exist, but I think it’s about time we develop or own SOX for actual identity security controls. Standards that provide clear and precise guidance on how to secure accounts, data, and systems.
Hmm…that sounds vaguely familiar……
Oh wait! Isn’t that SOC2!?!
Yeah…sure…..kinda…
A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
I’ll give you three guesses on who came up with the SOC/SOC2 process….
…………(pause for you go guess…)………….( no cheating..don’t google it) ……………..
Give up?
Accountants
Pull out that piece of trivia at your upcoming holiday functions.
And these weren’t even cool accountants like the one Ben Affleck played. Nope, just regular old accountants. Are you sensing a theme here?
I think it’s time we address the issue and change our SOX/SOC’s. It’s been fun while it lasted, but we’ve been running around in these for a while. We’ve got holes in them, and we can’t tell what color they originally were anymore.
IAM Planning
I’ve said this before, and recent interactions have me doubling down on this stance.
To be successful with your IAM program, you HAVE to have some upfront planning. And no, it isn’t fun. You need to have those discovery meetings and understand the manual process in place today. YES, you have to talk to each application owner and understand how they manage access to their applications today. YES, you must establish your central IAM team to discuss priorities, guide projects, and help fight for the budget. And, YES, you will need to find an executive owner for the program.
We’ve seen it too often that your program will hit so many issues if you don’t have these things in place. Technology will not save you from this. No matter what the salesperson tells you. Owning this process means rolling up your sleeves, getting dirty with the understanding of your business, and having discussions about changing certain business processes.
Identity Jedi Show Podcast
SEASON TWO is Live! You can see the live session from Austin, on the Youtube channel. ( Hit the link below) annnnd hopefully by the time you get this, you can also listen on Spotify, Apple Podcast, and all other podcast platforms.
The Last Word
Data-centric identity solutions. Last week I talked about the Identity Data Fabric, and I’m dead set on the side of the discussion that building a solution by starting with data is absolutely the way to go. We need to understand better how identity data is connected and the relationships between that data. Once we understand that, the actions we want to take ( Access Reviews, Provisioning, etc) become that much easier.
Happy Friday, friends. Enjoy the weekend!
Be Good to each other, Be Kind to each other, Love each other
-Identity Jedi
What did you think of this weeks newsletter? |
Reply