The 60th Edition of the Identity Jedi Newsletter

We need new SOX, you need a plan

Hey Jedi welcome to the 60th edition of the Identity Jedi Newsletter! It’s a Friday edition as life got the better of me this week. We are almost to 2024 Jedi! Can you belive it!? Time to start checking those goals for the year, and thinking about how we are going to dominate 2024!

Let’s Get to the Good Stuff!

  • Time to change SOXs

  • IAM Pre-Planning

WHAT’S HAPPENING THIS WEEK

Time to change SOXs

While we’ve ridden the back of SOX for years to drive marketing and sales around IAM projects, it’s time we take a hard look at what SOX is and what it isn’t.

Let’s start with the latter. IT ISN’T a security control.

GASP!!

The Act contains provisions affecting corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting fraud and corruption.

SOX is about corporate governance regarding financial disclosures of public companies. Making sure that companies have sufficient controls around systems that affect the financial data of a company and ensuring that there are processes in place to prevent fraudulent activity. Ya know, like filing fake accounting records, showing profit that isn’t really there, hiding toxic debt, etc. For my young readers who may be thinking..would a company really do that? I give you Enron.

But I digress..

None of this has anything to do with identity security controls. But yet, because of the 20+ years of building a market around SOX compliance, we kinda made it seem like it did. This leads customers to focus only on applying controls around the applications that affect financial data, thus making them compliant. Thus, making them secure….right?

Don’t get me wrong SOX is needed, and should continue to exist, but I think it’s about time we develop or own SOX for actual identity security controls. Standards that provide clear and precise guidance on how to secure accounts, data, and systems.

Hmm…that sounds vaguely familiar……

Oh wait! Isn’t that SOC2!?!

Yeah…sure…..kinda…

A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

I’ll give you three guesses on who came up with the SOC/SOC2 process….

…………(pause for you go guess…)………….( no cheating..don’t google it) ……………..

Give up?

Accountants

Pull out that piece of trivia at your upcoming holiday functions.

And these weren’t even cool accountants like the one Ben Affleck played. Nope, just regular old accountants. Are you sensing a theme here?

I think it’s time we address the issue and change our SOX/SOC’s. It’s been fun while it lasted, but we’ve been running around in these for a while. We’ve got holes in them, and we can’t tell what color they originally were anymore.

IAM Planning

I’ve said this before, and recent interactions have me doubling down on this stance.

To be successful with your IAM program, you HAVE to have some upfront planning. And no, it isn’t fun. You need to have those discovery meetings and understand the manual process in place today. YES, you have to talk to each application owner and understand how they manage access to their applications today. YES, you must establish your central IAM team to discuss priorities, guide projects, and help fight for the budget. And, YES, you will need to find an executive owner for the program.

We’ve seen it too often that your program will hit so many issues if you don’t have these things in place. Technology will not save you from this. No matter what the salesperson tells you. Owning this process means rolling up your sleeves, getting dirty with the understanding of your business, and having discussions about changing certain business processes.

#245 - Taking IAM to the Bank with Dave Middleton of Bank of America

Listen to this episode from Identity at the Center on Spotify. In this episode of the Identity at the Center Podcast, Jim and Jeff welcome Dave Middleton, Senior Vice President at Bank of America responsible for IAM and Cryptography Product Management. Dave shares his insights on various topics related to identity and access management (IAM). The episode begins with a discussion on how Dave got into the field of identity and the role of a product manager. Dave also talks about his conference experiences and the importance of balancing security and usability in IAM solutions. The conversation then delves into the difference between digital identity and IAM, as well as the evolving landscape of Identity Governance and Administration (IGA). Dave provides his thoughts on risk-based access governance and the role of technologies like Zero Standing Privilege (ZSP) and User Behavior Analytics (UBA). To wrap up the episode on a lighter note, Dave is asked to choose a universe to live in between The Walking Dead, Game of Thrones, and The Matrix. Connect with Dave: https://www.linkedin.com/in/davidmidd/ Learn more about Year Up: https://www.yearup.org/ Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com and follow @IDACPodcast on Twitter.

Identity Jedi Show Podcast

SEASON TWO is Live! You can see the live session from Austin, on the Youtube channel. ( Hit the link below) annnnd hopefully by the time you get this, you can also listen on Spotify, Apple Podcast, and all other podcast platforms.

The Last Word

Data-centric identity solutions. Last week I talked about the Identity Data Fabric, and I’m dead set on the side of the discussion that building a solution by starting with data is absolutely the way to go. We need to understand better how identity data is connected and the relationships between that data. Once we understand that, the actions we want to take ( Access Reviews, Provisioning, etc) become that much easier.

Happy Friday, friends. Enjoy the weekend!

Be Good to each other, Be Kind to each other, Love each other

-Identity Jedi

What did you think of this weeks newsletter?

Login or Subscribe to participate in polls.

The Jedi Council

Subscribe to Premium to read the rest.

Become a paying subscriber of Premium to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In.

A subscription gets you:

  • • Blogs
  • • Expert Interviews
  • • Expanded Commentary
  • • Early Access to Identity Show content

Reply

or to participate.