Archive for the ‘Governance’ Category

Novell ATT Live Roundup Part 2: Sentinel Security Information & Event Management!

Thursday, December 16th, 2010

Novell ATT Live Round Up Part 2

Location: Vegas Baby!

So a team of IDMWorks folks ventured to a little known town of Las Vegas to attend the 4 day ATT Live Novell Training, Update and Marketing summit. So what did we learn? Much like the Vegas buffets we had our pick of many tools, overviews and information sessions. Each of the IDMWorks team members (there were 4 of us present) choose a little from column A and little from column B. As such I plan to speak to the sessions I attended and what I saw as well as my likes and dislikes.

This will be a multipart blog entry, as such I bring you Part 2: Novell ATT Live Roundup – Sentinel Security Information & Event Management!

The Novell sessions at ATT Live were interesting in that they weren’t full blown product training as much as bits and pieces specific to tasks within a product (such as Driver Packaging for Novell Identity Manager 4).  The Novell Sentinel briefing I attended was “Identity Tracking for Novell Sentinel and Identity Manager” in which staff (preferably security) are alerted in real time of a breach in security allowing the staff to take immediate action to halt the user from being a bad, bad man (or woman). The key here is to know the old WHO, WHAT, WHERE and WHEN of the breach and having the means to not only identify but stop the malicious activity.  Timing is of the essence here.

The lab revolved around tying the Novell Identity Manager 4 product into the Novell Sentinel product with ease.  I won’t lie here and tell you that everything went uber smoothly or that there weren’t any glitches in the process but what I can tell you is that with a little elbow grease this is a completely doable proposition.  The event monitoring can show us when an employee used their proximity card or badge to enter (who).  When the user logged in to his/her laptop.  What applications and databases they accessed. What policy they violated or breached and when they did it (in real time) and incident management and remediation.  In the case of Novell Identity Manager 4 the action was used to trigger an immediate shutdown of all access rights including (but not limited to) Login ID suspension (works great if that account is SSO enabled for a one stop method), application access termination (if not SSO enabled), Badge credentials revocation (or CAC if you prefer), and immediate compliance audit and reporting to security staff members.  Pretty…Frickin…Cool.

Now this has whet my appetite big time.  It makes me want to see what other products are out there that also fit the bill and I see me taking a look at the Microsoft, Oracle, IBM and CA offerings that have a similar proposition soon to take a look at how they stack up.  Feel free to sound off below on your experiences with Novell Sentinel or a similar vendor product.

As usual, questions, comments or needs, contact us here.

And Happy Holidays from the crew at IDMWorks!

Tags: , , , , , ,
Posted in Common Access Card, Data Loss Prevention, Governance, GRC, Identity Management, Novell, Novell Identity Manager, Novell Sentinel, Security Information & Event Management (SIEM) | No Comments »

Data Loss Prevention – the ABCs of DLP

Friday, December 3rd, 2010

Gone are the days of regulatory commissions focusing only on the largest of corporations and fines being viewed as acceptable risks. The compliance world has changed. Fines for violations of protecting data privacy are now common place. Organizations of all sizes are subject to regulatory scrutiny as the need to demonstrate compliance continues to grow. For many companies there are compelling reasons to contain their information assets, design ideas, patents in waiting or other intellectual property that give them a leg up in their industry. This information needs to be kept in house.

There are many software solutions that protect information from being intentionally compromised or corrupted by viruses and hackers. Keeping data safe from these types of threats has become automated as the use of tools and the processes of patching and updating virus definitions have become routine in our industry. The challenge is how do we prove that we are taking all necessary precautions to controlling the availability and integrity of our data from internal misuse as well as its distribution?  Event logs and audit processes may be able to inform us of historical compromises however, knowing about a breach and preventing the breach are two entirely different creatures. This brings us to DLP.

Data Loss Prevention (DLP) technologies are based on a proactive approach to protecting data. Data classification and defining the rules of that data’s usage are essential in controlling it’s accessibility and how it can be distributed.  DLP tools are instrumental in recognizing known patterns of data, Driver’s License numbers, Social Security Numbers, account information and/or other intellectual property and aiding in that classification. Once the data has been classified policies can be created for its care in any of the following three states:

  1. Data at Rest
    Data at Rest refers to information that is stored within an organization. This can be information stored on a file server or share, or in a repository such as SharePoint.
  2. Data in Motion
    Data in Motion refers to information as it moves around the organization. Examples include email, Instant Messaging, FTP and/or other protocols.
  3. Data at the Endpoint (aka Data in Use)
    Data at the Endpoint refers to information that is currently being used by staff on their computers. Examples include information the staff is printing, saving on a USB memory key or writing to a CD/DVD ROM.

DLP technologies use these data classifications and the corresponding policies to make real time authorization decisions. If a policy is crafted to only allow electronic personally identifiable health information (PHI or ePHI) to be shared via email to select recipients, all email leaving the corporate perimeter is scanned for PHI and only the appropriate emails would then be allowed to be delivered.  This is done via deep packet inspection. DLP technologies allow for SMTP (Simple Mail Transfer Protocol) packets to be collected and reassembled then scanned as they pass the network perimeter. Similar rules could be implemented for internal email traffic between departments. Let’s go with a hypothetical here, assume your company has had a break through in engineering and now possesses a revolutionary invention and its secrecy is mandatory until the patent is approved. All communications of the invention can be controlled via classification and policy, keeping it from being leaked into the market place prior to being awarded a patent.

Organizations of all sizes have needs in preventing the loss of their data. Whether the need is based on controlling their intellectual assets or the requirement to meet the compliance standards issued by regulatory commissions, DLP technologies are essential in solving these needs in an automated fashion and proves due diligence.  Questions?  Please feel free to reach out to IDMWorks to see how we can assess, classify and implement your DLP needs.

Tags: ,
Posted in Data Loss Prevention, Governance, Risk & Compliance | 1 Comment »

Zen and the the Art of Identity Management

Monday, November 15th, 2010

Interestingly enough I have been asked many times as to what exactly IDMWorks is and what it is that we do (and I don’t just mean the wife and kids).  As such it seems time to do the quasi-annual blog sales pitch.  I think most of our readers have an idea what we do and have perused the site to better inform themselves but there are some that don’t tread any farther than this here blog.  So in keeping with the simplicity of blogvertising I present you IDMWorks.

Subject:  Enterprise Identity & Access Management and Governance, Risk & Compliance

You may be aware of many of the issues organizations are facing today around the various challenges and aspects of Identity Management and Information Security.

At IDMWORKS we understand the problems that many of you are facing and are positioned to help.  IDMWORKS is a vendor agnostic, Identity Management, Access Management, and Governance, Risk and Compliance Management Consultancy. We have consultants and engineers across the United States and North America that specialize helping clients with most aspects of Identity, Access Management, and GRC issues, including the following:

  • Identity and Access Management technology evaluations and POCs
  • Identity Management strategy creation, Integration and Deployment
  • Identity Management / IT Security Technologies Assessment, Evaluation,  and Planning
  • Identity Management / IT Security Education
  • Pre & Post Identity Management project Support Services
  • Identity Federation
  • PCI Compliance
  • Governance, Risk and Compliance Management , Provisioning
  • Single Sign-on and Web Access management
  • Data Loss Prevention

IDMWORKS has been built upon the skills and experience of dedicated IDM professionals and specialist with a customer base that includes Government, Healthcare, Education, Financial Services, Energy, Manufacturing and Retail clients.

IDMWORKS has experience with the integration and implementation of the market  leading Identity & Access Management, and GRC solutions and technologies – CA, Oracle/Sun, Novell,  IBM,  Aveksa, Citrix, Passlogix,  and Sailpoint, to name a few – and would welcome the opportunity to discuss your IT Security needs to determine how we can help.

We would like to offer you the opportunity to take advantage of an initial Identity Management, and Compliance Assessment. The results of the assessment will include recommendations on potential solutions to address your current Identity management and GRC related issues.

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , , , , , , ,
Posted in Access Management, Aveksa, Best Practices, CA, CA Identity Manager, CA SiteMinder, Citrix, Citrix Password Manager, Citrix XenApp, Cloud Computing, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Role Manager, Password Management, PCI Compliance, RBAC, Risk & Compliance, Roadmap, Role Management, SailPoint, Security & Risk, Single Sign On (SSO), SOA, SRM, Sun Identity & Access Management, Sun Identity Manager | No Comments »

State of the Union

Saturday, October 9th, 2010

Last week Oracle announced they had purchased Passlogix (best known for the V-GO ESSO application) and this got me thinking about the changes in the last 10 years in the Identity Industry.

A decade ago you had start-ups galore.  Business Layers (eProvisioning), Netegrity (SiteMinder), Access360, Thor (Xellerate), Waveset, Oblix, Trulogica, M-Tech and Courion, too name a few, almost all of which were acquired.

Business Layers got acquired by Netegrity who got subsequently acquired by CA.  Access360 got acquired by IBM as part of the Tivoli Identity Manager product.  Thor got acquired by Oracle, Waveset by Sun and subsequently Oracle, Oblix by Oracle as well (I am sensing a trend here by the way).  Trulogica got acquired by HP where it saw its demise.  M-Tech became Hitachi and Courion bucked the trend and stayed Courion.  Even the smaller space tools like Maxware got picked up by SAP.  In fact, up until the last few years, we have remained in the land of the Big Company Identity Stack.

So how did we get there?

Back in the day IDM was slowly being looked at as the next wave in Risk and security.  The issue at the time was that the products were very green and lacked the technical maturity to make implementation a worthwhile process.  Sure, the low hanging fruit of automagically creating an Active Directory or Netware account was a breeze but the implementation around single sign-on, strategic workflows and approval/escalation to a host of applications was not a smooth process.  In fact in the early 2000s the process involved prior to the technology was still being ironed out.  Many of the projects we worked on required a high level of customization and as a result the time to implement took in some cases years to complete.  During these multi-year engagements a good number of projects failed to get off the ground or changed scope so many times that in the end the effort was deemed a failure or not what is was originally sold as.

Eventually sanity won out and most organizations realized that Web Access Management, Provisioning and further more Federation and Role Management were separate sides of the Identity Management box.  Instead of one large “Big Bang” a step by step approach gained traction as a method to actual success.  Many of the larger organizations even split Access Management and Identity Management into strongly separate buckets with their own teams and infrastructure.  Gone are the days where Access Manager and Identity Manager are viewed as the same application.  Today the products are treated as interconnected but individual pieces complimenting each other even when they fall into the same stack.  This can be seen in the job reqs that many organizations release when looking for a technical resource.  5 years back recruiters were still looking for the Jack-of-All trades Engineer/Developer/Architect/PM that knew the SSO, Provisioning, Federation, Role Management and Password Management tools from the 4 different vendors (my personal favorite being when the recruiter would then say a “junior” resource for said position was OK as a method to justify the sub-par rate, as if such a “junior” person existed with that level of knowledge).

The big company buy-up of the old Venture Capital backed firms yielded a greater maturity in the market and a fierce rivalry in the market place.  In fact the biggest players are now Oracle, IBM, CA, Novell, and to a lesser extent BMC and a hard charging Microsoft.  What is interesting though is as of a few years back the next generation of VC based IAM start-ups popped up and we are seeing history repeat itself with the next wave of industry consolidation.

For instance, take a look at the Role Management and Identity Governance market place.

Bridgestream Roles and Vaau RBACx got scooped up by Oracle and Sun and subsequently Vaau won the application war as Oracle’s preferred Role application (under the unfortunately named Identity Analytics banner).

Aveksa and Sailpoint popped up to not only compete in the same space but to offer superior products to manage compliance with HIPAA, SarBox and the like moving beyond solely role management into the governance and compliance management space.

Eventually, as is the case in the IAM space one, one or both companies are likely to be acquired.  Where they will land is open to conjecture but like all Venture Capital based opportunities you are either a resounding success in the sales game or you are a cheap acquisition target.  I have my own guesses as to what comes next for both companies but alas that is a topic for another blog entry.

As for the announcement of Passlogix being acquired, Oracle has a strong set of tools in the space covering all facets of Identity and Access Management.  They are truly becoming the Walmart of the Identity World.

Tags: , , , , , , , , , , , ,
Posted in Access Management, Aveksa, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Password Management, RBAC, Role Management, SailPoint, Security & Risk, Sun Identity & Access Management, Vaau | 1 Comment »

PCI yai yai!

Wednesday, August 18th, 2010

If your business accepts or processes payment cards, it must comply with the PCI DSS (Payment Card Industry Data Security Standards). All businesses and merchants that store, process and or transmit card holder information are now required to be PCI compliant.

PCI DSS is a set of requirements for enhancing data security. This originally began as individual programs from Visa, MasterCard, American Express, Discover, and JCB. To facilitate the broad adoption of consistent data security measures Visa, MasterCard, American Express, Discover, and JCB aligned their individual policies to release the Payment Card Industry Data Security Standards.

In today’s economy, with merchants and business owners required to thoroughly evaluate operating costs, merchant processing fees are an area frequently overlooked. Evaluating and comparing merchant processing solutions including fees for services, such as PCI compliance for your business, can be well worth the time it takes and may result in considerable savings for your company.

Many companies are struggling with some of the same issues repeatedly around PCI DSS compliance and Governance.  First and foremost, companies need to know whom and how to pay for PCI Compliance and where the ROI is.  Second,  how do companies free up the System administrators to do what they pay them to do (administer systems that is).  Whether they be network engineers, UNIX administrators, or Windows administrators (to name a few); too often organizations have turned our technical assets into grumpy compliance administrators and/or control owners.  I think we all know how much system administrators just love to get involved in compliance and governance (can someone get Johnny form under his desk and let him know I’m not here for PCI, SOX and Audit).  Third, spreadsheets, spreadsheets, spreadsheets.  Did I mention spreadsheets?  I’m not sure about how much I need to elaborate here, but multiple spreadsheets housing your control environment assures that everyone is working off a different set of controls.

Too often we task our administrators to be owners of controls that are poorly written (often by other System Administrators).  Most times these controls are written very broadly and are not housed in a central repository (which, by the way, external auditors love to flag).  With broad controls the external auditor can test what they believe the control defines, often times leading to the entire control failing and thus having to be retested.  Additionally, we do not supply our System administrators with the correct tool set, what tools says Johnny.  We spend many times manually going through IOS Code, systems logs, Active directory logs, and of course spreadsheets to try to test controls and assure governance.

This is where IDMWorks can come in.  IDMWorks QSA’s can build a framework based on Risk Drivers, write general controls that can be applied to most standards, build automation into the process, reduce your external audit time by 50% (ROI), and assist you with writing solid test plans to execute.  Look at IDMWORKS as your tax preparer, but for Compliance and Governance.  Creating a new framework along with solid test plans assure a very efficient process to reduce the amount of time wasted by your external auditor during the testing of poorly defined controls.  Additionally poorly written test plans are part of this spiral of non compliance.  IDMworks takes a practical approach that will assure your PCI certification and reduced your audit cycle and costs.

Tags: , , , , ,
Posted in Governance, PCI Compliance, Risk & Compliance | 4 Comments »

The truth about Roles, what people won’t tell you about RBAC

Monday, August 2nd, 2010

I have been at three separate companies as of late  that all strive to have the “perfect role model” for their enterprise. This desire is usually coupled with the desire to have some irrational number of roles to show that their role model was successful.

<Sidebar> Let’s say your company has 100,000 people worldwide, how on earth could you believe that you’re going to end up with 10 roles?

The answer to the number of roles is generally a product of how you want to create enterprise roles (this includes Business and/or IT roles). There are few options when it comes to designing roles, to list a few:

  1. Bottom-up, Top-down and Intersection Analysis (yawn, that’s so 2009)… and the result being a set of IT roles that map to resources, and business roles that map to the IT roles.
  2. Allow Supervisors to control # of roles, they decide what goes in their roles, and your systems make sure that they haven’t put any “toxic combinations” in their roles.
  3. Use #1 & #2 with a standard set of entitlements that everybody gets based on some organizational data.
  4. Allow a product to analyze your data and suggest candidate roles.

(All of these mean nothing unless your roles are “in-context”… to be covered in my next post.)

Now comes the part where I give my prescriptive advice on which of the 4 options to use. The answer: RBAC is art, not science, you should try all of the above, at least see if they pass the litmus test for your organization (better yet, call IDMWorks and we can help you figure it out).

Once you’ve figured out what direction you are going with roles, the next step is to stuff all of that in a product. Might I suggest Aveksa as it is the one of the best products in the industry, and use it to manage your roles, entitlements, segregation of duties rules and certifications.

Tags: , , , , , ,
Posted in Aveksa, Governance, RBAC | No Comments »