Self-Service and Automation

And we also have the option of self-service. The cost of and the notional cost of a service desk call is around $50 US. So if we can reduce this cost, this is perceived as being desirable, typically a desirable outcome. And also the speed of provisioning becomes far faster. It can become instant. We may wish to delay that through approval processes, as we’ve said, for example, with bring your own device devices. We may place the devices in a quarantine area, subject to approval. We may wish to consider some of the following. We could look at device enrollment, profile management, the ability to unlock accounts, the ability to reset accounts. All of these typically would result in a helpdesk call.

If we can avoid those helpdesk calls, we lower cost. But we have to make sure that the process is one that works. And Bruce Schneier once described the password recovery options for accounts as being easier to guess than the password itself. So if you look at your web mail or any of the online accounts that you have, you have to set recovery questions, or you usually are suggested to set recovery questions. And these questions are questions like your mother’s maiden name, where were you born, the name of your first pet. These are not secret. Absolutely, these are not secret. Very simple to social engineer this information.

And for people on a public platform, for famous people, this kind of information is in the public domain often. So in 2005, Paris Hilton had her T-Mobile account hacked by a teenager. And all they had to know was the name of Paris Hilton’s pet, her pet dog. And in order to find that out, all they had to do was google ‘What was the name of Paris Hilton’s pet?’ Pretty simple way to compromise an account. In, 2008 Sarah Palin, the US politician, her Yahoo account was hacked by a college student.

And they did this by resetting her password using the recovery information, which was her date of birth, her zip code, and the place where she met her spouse – all available on her Wikipedia page. In 2014, after nude photos of several Hollywood actresses were leaked, Apple reported that their iCloud accounts had been hacked through a very targeted attack on usernames, passwords, and the recovery security questions. So we need to be careful, if we are using self-service, that we are not creating a new attack vector.

We talked a little bit about automation already. We can look to create additional accounts or primary accounts. The way we typically do this is through the use of middleware or APIs, Application Programming Interfaces. If we are doing this, we need to have a good sense of awareness around the data quality that we are consuming in order to provision a new account. Because if we are taking information that is stale or information that is inaccurate, again, that mistake becomes propagated forward.

For the business logic, we need to consider which systems have primacy over different types of information. If it’s possible to update your telephone number through your voice over IP telephone system, through your intranet phone book, through your directory service, you potentially can have conflicting changes. Which one of those systems should have primacy when they synchronise overnight, for example.

Automation via middleware or APIs is absolutely possible. And this can help us with some of the manual processes; it can reduce the workload. That business logic we need to understand. The latency, again, becomes an issue. We need to understand it, at the very least, to understand what the impact will be. By default, if you make changes to an active directory account, it can take 15 minutes to propagate. If we’re using provisioning more widely outside the directory, it may be instant. It may not. So again, this may not suit our privileged access management accounts.