Earlier in my career I had the privilege of working for Intercede, a company supplying smart card management systems. A core capability was the ability to manage the card lifecycle and credential lifecycle (e.g., PKI certificate), as distinct from other systems that manage credentials and placed them on cards without managing the card lifecycle. A part of the sales pitch was if you don’t manage the card lifecycle in the system, you will end up with a spreadsheet to manage the cards.
In my more recent work reviewing various customers’ PKI implementations I have come across lots of spreadsheets of this nature – with fully documented processes of how “Bernie” keeps the spreadsheet up to date.
(Ever since a sales pitch to a prospective customer that said “I don’t need a card management system, I have a Bernie”, I’ve used Bernie as the name of the spreadsheet editor.)
In some cases the customer is really happy with the spreadsheet approach and it works well for them – and is an efficient auditable process. Others have or are migrating to card and credential management system, having recognised the complexities.
The difference between the two types of customer? Scale: Less than 500 users the spreadsheets works just fine. More than 5000, a spreadsheet starts to breakdown and a card management system is needed. Between 500 and 5000 – it depends on the volume of transactions (joiners/movers/leavers). This is what I always suspected, but it has been comforting to see this play out on a customer’s site.
The moral of the story? It’s a good reminder that security is not a one-size-fits all problem. In some cases a technology approach is good, in others a robust process is a perfectly valid substitute. The key part is to assess the business need, in context.