Starting to feel a sense of frustration. No it doesn't effect me personally. I am still the same 'white hat' as always.
I went through the series of interviews for different positions recently. It was an absolute waste of time. What caught my attention is a level of arrogance and mindless stupidity coming from the people who should be paying attention. Each interview was along same well travelled paths:
Can you install software?
Can you connect it to the ERP (or whatever they connecting it to) ?
etc.
So they all concentrate on the Functional requirements. Most forget the security of your software falls into the Non-Functional requirements.
No one had a slightest idea that before you implement Functional requirements you need to make sure that your 'Security Software' being it Sailpoint, Oracle or Forgerock or whatever:
is in itself secured.
The buzz word 'security software' doesn't make it to be secure on its own.
Someone has to do it.
Otherwise your Security Software will be looking like a cowboy wearing pants with two guns in the front pockets and two wide cutaways in the back.
Yes your company rear will be exposed.
Almost all of the vendors use 3 tiered system:
Front web tier
Application tier
Database Tier
If none of these tiers are hardened and secured you will end up with the pants above.
Any IAM implementation project therefore need to start and concentrate on fulfilling the Non-Functional requirements first and foremost.
Only after the Non-Functional requirements are tested and approved the Functional requirements can be addressed.
I strongly recommend to follow NIST, ASD and some other standards to secure the 'Security Software'.
But you can always buy pants as they are widely available out there :) and plenty of integrators who are happy to sell them.
I went through the series of interviews for different positions recently. It was an absolute waste of time. What caught my attention is a level of arrogance and mindless stupidity coming from the people who should be paying attention. Each interview was along same well travelled paths:
Can you install software?
Can you connect it to the ERP (or whatever they connecting it to) ?
etc.
So they all concentrate on the Functional requirements. Most forget the security of your software falls into the Non-Functional requirements.
No one had a slightest idea that before you implement Functional requirements you need to make sure that your 'Security Software' being it Sailpoint, Oracle or Forgerock or whatever:
is in itself secured.
The buzz word 'security software' doesn't make it to be secure on its own.
Someone has to do it.
Otherwise your Security Software will be looking like a cowboy wearing pants with two guns in the front pockets and two wide cutaways in the back.
Yes your company rear will be exposed.
Almost all of the vendors use 3 tiered system:
Front web tier
Application tier
Database Tier
If none of these tiers are hardened and secured you will end up with the pants above.
Any IAM implementation project therefore need to start and concentrate on fulfilling the Non-Functional requirements first and foremost.
Only after the Non-Functional requirements are tested and approved the Functional requirements can be addressed.
I strongly recommend to follow NIST, ASD and some other standards to secure the 'Security Software'.
But you can always buy pants as they are widely available out there :) and plenty of integrators who are happy to sell them.
Comments
Post a Comment