Note-to-self: Normalization of deviance in security: how broken practices become standard [must read]

If you would search the internet you’ll quickly find the original quote… “Normalization of deviance in software: how broken practices become standard”

All credits go to the original post:

And to honor the truth completely, the hint was posted by Joe Richards at
Joe has highlighted some important remarks in his blog post. But there is more…

What reasons do people or companies have NOT to implement best practices or ‘forget’ to implement them.
What easily becomes accepted as normal, why not speak up if you think something is wrong…

Just replace the ‘software’ in the article and title by ‘security’ …

Simply must read!
[Or actually, simply must implement, every day.]

Planning #FIM2010 Security & Best Practices

While supporting supporting FIM customers to assess their FIM environment and helping them to maintain their FIM configuration, 2 discussion topics are alltime favorites: FIM Security and FIM best practices.

For ease of use I’ve been collecting this information in some articles.
Below you’ll find the short links for ease of use:

As you might see, there is still a lot of room for improvement, so I invite you to update the article where you think information is missing.

When discussing a basic FIM setup (using FIM Sync and FIM Service + Portal) a common diagram being drawn is the one below.
It does not discuss the other FIM add-ons (like FIMCM, BHOLD or reporting) but still it’s a useful and very visual guidance for planning you security.

Main purpose is to explain that the initial security setup for your FIM

  • DOES require a collection of security accounts and groups to segregate duties (so installing FIM with one single account, used for all FIM functions and accounts is a very bad idea.)
  • ONLY needs 1 core administrator account with administrator access to the FIM server’s local security
  • DOES NOT require services or technical accounts with local or domain admin rights (except 1, the FIM Installer account)

FIM Security