top | item 46902479

(no title)

The softer approach to this I've implemented in the past is to ingest and link up org data (user accounts, groups, projects, etc) into one central DB and then provide an audit notifications or dashboards to authorized users. Examples:

    - Slack user detected with full access that isn't associated with a staff-grouped LDAP account
    - Group A in System X doesn't match the members of Group A in System Y)
    - Service Z provisioned, but their associated customer account is deactivated

These kinds of violations _can_ be automatically synchronized in a variety of ways, but I've seen that result in politically embarrassing outcomes (e.g. Sensitive user X is fired, their Slack account is automatically deactivated, people notice before some kind of staff meeting can be held to talk about what's going on).

discuss

No comments yet.