Thursday, March 25, 2010

There are significant IT problems hindering completion

That’s one of the comments from the article I referenced in yesterday’s blog post about HSPD-12. I decided to track down the referenced “report” and found it here: http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-40_Jan10.pdf.

I figured it would be interesting to read what the “significant IT problems” were. Many of the problems highlighted in the report had to do with funding, lack of manpower, higher priority projects and the like. We’ve all seen those in our jobs. What was most interesting to me was some of the more real, day-to-day problems that have cropped up as part of the project. Here’s a selection from the report – I’ve edited my excerpts but I've tried to preserve context and content as much as possible:
  • There are many unused and unaccounted for test accounts and cards currently active
  • There may be an excessive number of individuals with account access. Our analysis identified 11 “su,” or “super user,” accounts, which grant full access which allow the user to view and monitor system logs. The principle of least privilege must be implemented under DHS policy, and access to system logs should be restricted.
  • We identified three web application accounts that were not assigned to specific individuals. Two were system accounts, used to initially set up the system and create administrative accounts; both of these accounts can no longer be used to access any information or establish new accounts. The third was a temporary test account that was never deleted. Accounts that are not in use or have never been used should be deleted.
  • All IDMS EIWS users share one local administrator account.
  • Forty of the 1,539 deactivated (smart) cards, or 2.6%, were deactivated but incorrectly left active in (the physical access system). When physical access rights are still activated on a card, an individual may gain unauthorized access to DHS Headquarters facilities and areas.
What’s the moral of the story? Provisioning and de-provisioning aren’t working correctly, privileged accounts are not being audited or monitored appropriately and the principle of “least privilege” is not being followed consistently.

Are these problems ones that would only occur in this project? Only in the US government? Only with respect to smart cards or PKI? No. Absolutely not. They occur everywhere. However, it goes to show that *any* IT project really needs to be based on a solid identity and access management procedures and products. That’s only way that one can achieve compliance. That’s the only way that problems like the ones identified in the report can be avoided from the outset.

1 comment:

Anonymous said...

Very true. I know of many implementations I was part of ... the Configurator (sun idm su)account never was disabled. It was always there.

Also people who left companies had their emails and logins active. And these are companies which implement IAM solutions to large clients; LOL.