Elf on My Shelf: Monitoring Identity and Access

Access Risk Management Blog | Courion

Implementing Monitoring: Phase One – Those Pesky Kids

A few years back my wife and I decided we needed a seasonal worker who could live in our home between Thanksgiving and Christmas in order to monitor the activities of our three children. You see, these children had access to many of our critical assets, and may in fact have been naughty when they should have been nice. Working in the security industry has taught me that when it comes to permanent employees, trust but verify is a great policy. Based on that, we decided to hire an Elf to take up daily positions on our various shelves, and report back to Santa whenever the children were naughty (or from time to time, nice).

Employing this seasonal worker was more complicated than we initially thought. There were the usual challenges associated with temporary staff, like what system of record to use to track their employment, granting them access to needed resources, and ensuring that on Christmas Eve, all access was terminated. However we also came to find out that the “Elf on the Shelf” needs privileged access to all resources, comes and goes at night, and is prone to “pranking” their host family.

In fact, research on the security concerns around Elf access came up with more than a few disturbing images, including these:

 Shaved HeadSnow AngelsWoody in trouble

Elf on the Shelf abusing legitimate access for illegitimate purposes

To date, our Elf employee “Oscar” has not committed any such prank. However, learning of this propensity among Elves, and also given the level of access granted to Oscar, we decided something needed to be done.

 Implementing Monitoring: Phase Two – That Pesky Elf

After extensive research into Identity and Access Management solutions, we determined Courion’s Access Assurance Suite was the best fit for our needs. Of course, since I work for Courion, the company had a leg up on other vendors, but the true reason we selected Courion was because - instead of simply helping us more easily grant, revoke and review access – the solution also continuously monitors access for all of our employees and non-employees. This continuous monitoring allows us to sleep soundly at night (with visions of sugar-plums) knowing that Oscar and the kids all had the access they needed, and that they were not abusing it.

Also, the Courion Access monitoring solution is personified by a cute Einstein squeeze toy.


 Elf getting piggy back from BatmanElf on a phoneElf in a tree

 Oscar the Elf behaving nicely, with IAM monitoring Solution in place

IAM Monitoring: The results

Oscar the Elf has been a great way to ensure the children behave, while also providing critical Naughty / Nice data to Santa during the festive season. And the Einstein personification of Courion’s IAM Monitoring solution has enabled us to effectively manage the risk of pranks that is associated with our elf. All in all, this solution is simply Genius, giving us capabilities like:

-          Automatically checking for policy and regulatory violations during the provisioning process to get access right the first time (Segregation of Duties and the like)

-          Performing micro-certifications that review access when it changes and is newly flagged as risky (Elevated Access or Access not common for the role)

-          Immediate de-provisioning of access when the risk of prank is elevated to an unacceptable level

Thankfully, with Courion implemented our de-provisioning engine is also pretty solid:

 Hulk de-provisioning your access

Hulk Smash Inappropriate Access

Happy Holidays and Good luck with your Identity and Access Management Initiatives in 2014.

Elf on the Shelf with Einstein. Genius.

Intelligent IAM. Genius.


Leave a Reply