Archive for the ‘Password Management’ Category

Avatier Identity Management Suite (AIMS) Overview

Monday, August 29th, 2011

The Product: Avatier Identity Management Suite (AIMS)

The Review:

Install

The installation of the Avatier Identity Management Suite (AIMS) was one of the more straight forward processes we have encountered and only took about 15 minutes to complete. The product itself installs on a Windows 2008 32/64 bit server (for version 7 and earlier) and for version 8  installs on a Windows server 2008 R2 64 bit.  AIMS is GUI driven and offers a branding interface that allows the customer to modify text or any of the graphics that appear on those screens without the need for custom programming or scripting. The product offers a range of connectors as many of the vendor IdM applications do and as is to be expected, with AIMS there is no additional install of software on the end-point server for the connector to function (agentless).  There are 28 different connects currently offered OOBincluding AS/400, Linux, various Microsoft (SQL, Windows, ADAM), Novell, Oracle, PeopleSoft, SAP, Sybase and Sun.  On the Access Management side, AIMS offers several web agents for the following platforms, IBM iSeries, IBM AIX, Linux, HP-UX and Sun Solaris.

Functionality

There are 8 core functions within the AIMS suite, Account Creator, Account Terminator, Compliance Auditor, Identity Analyzer, Identity Enforcer, Password Bouncer, Password Station and HR Feeds. These are installed as part of the base install of AIMS. Interestingly enough, all of the functions are configured through GUI windows and no scripting is involved.  Another nice touch with the product is the workflow is automagically built based on your configuration unlike many other products where you have to build it through scripting. 

The Identity Enforcer is the primary function of the product, this is where you configure Delegation, Org Charts, Reports, Security, etc…. . The product itself does have some pretty cool killer apps such as “Connect with IPad’”.  The reporting is stronger than many other products we have used and somewhat easier to configure. and the HR Feeds can read from several different databases (which is a given), such as Oracle, DB2, SQL-Server and MYSQL.

The Hits:

1. Password Station enables you to eliminate password reset calls to your internal help desk by allowing users to securely perform reset action themselves.
2. Password Bouncer improves on your password policy by allowing users only complex passwords that are difficult to crack.
3. Account Terminator automatically deactivates and captures account data from ex-employees as well as accounts that have been dormant and are no longer in use.
4. Account Creator automates all aspects of user provisioning thereby achieving great cost savings in starting new employees.
5. Identity Enforcer integrates workflow process of self-service authorization management.
6. Logon Station permits Single Sign-On so users only need to logononce to have access to every resource for which they are authorized.

The Verdict:

The maintence and setup is where the savings are compared to other market products. A big plus is that there is virtually no coding involved for workflow as AIMS can and will handle this automatically based on your configuration settings.  And a killer diller process that sets Avatier apart from others is the ability to get live updates (the platform is the only commercial off-the-shelf Identity Management solution I know that offers an optional Live Update service for automating software updates and upgrades but your mileage may vary with the usage of that one).

Once you have gained the knowledge of where everything resides in the GUI under specific functions the product is fairly straight forward to set up and while AIMS offers a lot of the same functionality as most of the IDM products on the market, such as Workflow, Reporting, Creating/Deleting Users and Reconciliation of Users across multiple platforms, it also offers a built in Role Mining function.

All in all a pretty bang up product addition to the Identity & Access Management market place.

Agree, Disagree or have a product we should be tackling next? Sound off below or feel free to reach out to us at IDMWorks.

Tags: , , , ,
Posted in Access Management, Avatier, Identity Management, Password Management | No Comments »

Password Management in Novell Identity Manager

Tuesday, March 29th, 2011

Novell Identity Manager integrates tightly with Novell eDirectory. Part of the benefit of eDirectory is the inherent security built around passwords.  But there are times that Novell’s native tools for managing passwords do not meet the specific needs of the deployment. So let’s briefly explore the options you have for managing passwords within the framework of Novell’s Identity Manager.  For the purposes of this article password management is defined as the ability for a user to set a password, set challenge/response questions and use those challenge response questions to reset a forgotten password.

The first option, and probably the easiest to implement, is to use Novell’s Role Based Provisioning Module (RBPM) formerly known as the User Application.  This tool is easily deployed and fully supports all of the password management functionality.  It is can be branded and is fully supported by Novell.  The drawback to the RBPM is that it may be more than some organizations need when they are looking for just password management.  Additionally an organization may have an existing portal deployment that they want to integrate password management into. RBPM may not be the best fit for these organizations.

Another option is to utilize Novell’s Password Management Framework from their custom development group.  This is a fully functional password utility that is specifically tailored to an organization.  It is supported via Novell’s custom development group and fully supports all of the password management functionality.  The disadvantage of this solution is the additional costs associated with the purchase, development and support of the solution.  It can be integrated into an organizations existing portal solution and is fully supports branding specific to an organization.

If the functionality of Novell’s Password Management Framework (PMF) is what an organization is looking for but they do not wish to make the additional investment in product, support, etc… then a viable option is an open source project called PWM (available at https://code.google.com/p/pwm/).  This solution is very comparable to Novell’s PMF.  An organization may deploy it as is or customize it for their needs.  The advantage of this solution is the reduced product costs.  The disadvantage of this solution is that the organization is essentially self supporting themselves with this solution.  Just as the solutions above PWM fully supports all of the password management functionality.

In RBPM 3.7 there is also a forgotten password web service that is available (http://server:port/warcontext/pwdmgt/service?wsdl).  This is a good way to access basic password reset functionality.  This service does not support all of the password management functionality.  However it is a good option for organizations familiar with writing to web services and only need the basic forgotten password operations.

For organizations that desire the web service approach but need fuller functionality than what the basic web service interface provides there is in RBPM 3.7 REST services available.  The functionality for the REST services is contained in a war file (RIS.war) that sits separate from the User Application and provides access to much more than just the password management features.  The REST services are fully documented in Novell’s RBPM 3.7 online documentation.  This solution can be integrated into an organizations existing portal framework or can be used to build a fully functional site that exposes specific functionality that an organization needs.

There are other options for integrating with Novell’s Identity Management solution for password management that utilize Novell’s APIs.  But in the opinion of this consultant the above listed methods are the most cost effective options and provide the functionality that most organizations need.

As usual if you have questions, comments or concerns feel free to reach out to us at IDMWorks.

Tags: , , , , , , , ,
Posted in Identity Management, Novell, Novell Identity Manager, Password Management | No Comments »

Macintosh SSO via PasswordBank

Sunday, February 20th, 2011

I recently had the opportunity to participate with PasswordBank (PB) at a Proof of Concept (POC) demonstration for a company in Chicago. The company was interested in seeing how the PB SSO product would integrate with their Macintosh Users. Most of the senior company officers were Mac users and the ability of the PB SSO product to work with the Mac was the focus of the POC.

The PasswordBank Server was pre-configured by PB in the Amazon Cloud prior to the POC. This is the same installation/configuration that would be done on a bare metal server onsite. Installation is rather straightforward and requires only a couple of hours. The entire server/database combination can be setup on a single server via a single DVD. The server is CentOS based and the DVD includes the PB software as well as a MySQL database.

Access to the PasswordBank WebSSO requires the use of a browser plug-in.  In the case of the POC, the new Safari plug-in was used. Safari was the browser of choice for this customer.

Two methods of cloud based server configuration were discussed. The first was the single server in the cloud with no local presence. All traffic would have to be enabled to the cloud server in order for SSO to work. The second method, known as the hybrid, utilized a password router to intercept traffic inside the firewall and route the SSO traffic to the cloud server.  This router, also known as an Identity Server, would reside on any IIS server along with whatever web services were running in IIS. For this POC the single cloud server was used.

The Safari plug-in is managed through the extensions settings for Safari.

Settings include the check box to enable the server and the URL for the PB Server. The second setting is used for the hybrid mode where the Identity Server/Password Router would be setup.

Application configuration is very simple. Once the application URL has been entered (LinkedIn in this case), the PB extension will attempt to capture the login information as it is entered.

Note the PasswordBank banner is shown. That is the indication that the password capture process is happening. Once you enter your userid and password it will be captured and the banner will not show again. Your credentials are now stored for future use.  Should your password expire the PB extension will detect this and offer the means to update the credentials. The next time you go to LinkedIn the PB extension will provide the credentials.

Should you not wish to have credentials entered automatically the PB extension can be paused for a particular application.

  • Credentials can always be modified for each application individually without having to access the application.
  • Credentials can also be deleted by a user for an application. This would cause the PB extension to ask for credentials again the next time the user accessed the application.

Applications are created by users who have Administrative rights to create applications.  They do this by accessing the application one time. Once created, any user may access the application and have SSO for that application. Applications are named after the Title value of the web page but his is readily changed should the title not accurately reflect the application (we had a few in the POC where the title was simply “Login”).  The administrative UI provides the ability to customize the applications in many ways. Application accessed via PB can be granted to a user or group and user stores can be internal or external (i.e. Active Directory).

User Access to the PasswordBank server is via User Certificate.  Administrative users generate certs for users, and users have the means to retrieve them via web or to have them emailed to themselves.  Once a cert is installed in the OSX Keychain Safari will request the cert when the extension is accessed via the dedicated PB icon (right most icon shown below).

Hint: If you click on Always Allow then you will not be asked this for any future access.

This is a very simple, yet flexible, means to provide SSO functions within Safari on a Macintosh.  Should your Mac users be Firefox based  a similar plug-in is available. PasswordBank has an OSX Client in the works that would extend single sign on to the OS level similar to what it already provides for Windows XP, Windows 7 and Linux Desktop Operating Systems.  These clients integrate at the OS login to provide Single Sign-On for the entire user experience.

As usual let us at IDMWorks know if you have questions or comments.

Tags: , , , , ,
Posted in Apple, Cloud Computing, Password Management, PasswordBank, Single Sign On (SSO), Software as a Service (SaaS) | 1 Comment »

Zen and the the Art of Identity Management

Monday, November 15th, 2010

Interestingly enough I have been asked many times as to what exactly IDMWorks is and what it is that we do (and I don’t just mean the wife and kids).  As such it seems time to do the quasi-annual blog sales pitch.  I think most of our readers have an idea what we do and have perused the site to better inform themselves but there are some that don’t tread any farther than this here blog.  So in keeping with the simplicity of blogvertising I present you IDMWorks.

Subject:  Enterprise Identity & Access Management and Governance, Risk & Compliance

You may be aware of many of the issues organizations are facing today around the various challenges and aspects of Identity Management and Information Security.

At IDMWORKS we understand the problems that many of you are facing and are positioned to help.  IDMWORKS is a vendor agnostic, Identity Management, Access Management, and Governance, Risk and Compliance Management Consultancy. We have consultants and engineers across the United States and North America that specialize helping clients with most aspects of Identity, Access Management, and GRC issues, including the following:

  • Identity and Access Management technology evaluations and POCs
  • Identity Management strategy creation, Integration and Deployment
  • Identity Management / IT Security Technologies Assessment, Evaluation,  and Planning
  • Identity Management / IT Security Education
  • Pre & Post Identity Management project Support Services
  • Identity Federation
  • PCI Compliance
  • Governance, Risk and Compliance Management , Provisioning
  • Single Sign-on and Web Access management
  • Data Loss Prevention

IDMWORKS has been built upon the skills and experience of dedicated IDM professionals and specialist with a customer base that includes Government, Healthcare, Education, Financial Services, Energy, Manufacturing and Retail clients.

IDMWORKS has experience with the integration and implementation of the market  leading Identity & Access Management, and GRC solutions and technologies – CA, Oracle/Sun, Novell,  IBM,  Aveksa, Citrix, Passlogix,  and Sailpoint, to name a few – and would welcome the opportunity to discuss your IT Security needs to determine how we can help.

We would like to offer you the opportunity to take advantage of an initial Identity Management, and Compliance Assessment. The results of the assessment will include recommendations on potential solutions to address your current Identity management and GRC related issues.

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , , , , , , ,
Posted in Access Management, Aveksa, Best Practices, CA, CA Identity Manager, CA SiteMinder, Citrix, Citrix Password Manager, Citrix XenApp, Cloud Computing, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Role Manager, Password Management, PCI Compliance, RBAC, Risk & Compliance, Roadmap, Role Management, SailPoint, Security & Risk, Single Sign On (SSO), SOA, SRM, Sun Identity & Access Management, Sun Identity Manager | No Comments »

State of the Union

Saturday, October 9th, 2010

Last week Oracle announced they had purchased Passlogix (best known for the V-GO ESSO application) and this got me thinking about the changes in the last 10 years in the Identity Industry.

A decade ago you had start-ups galore.  Business Layers (eProvisioning), Netegrity (SiteMinder), Access360, Thor (Xellerate), Waveset, Oblix, Trulogica, M-Tech and Courion, too name a few, almost all of which were acquired.

Business Layers got acquired by Netegrity who got subsequently acquired by CA.  Access360 got acquired by IBM as part of the Tivoli Identity Manager product.  Thor got acquired by Oracle, Waveset by Sun and subsequently Oracle, Oblix by Oracle as well (I am sensing a trend here by the way).  Trulogica got acquired by HP where it saw its demise.  M-Tech became Hitachi and Courion bucked the trend and stayed Courion.  Even the smaller space tools like Maxware got picked up by SAP.  In fact, up until the last few years, we have remained in the land of the Big Company Identity Stack.

So how did we get there?

Back in the day IDM was slowly being looked at as the next wave in Risk and security.  The issue at the time was that the products were very green and lacked the technical maturity to make implementation a worthwhile process.  Sure, the low hanging fruit of automagically creating an Active Directory or Netware account was a breeze but the implementation around single sign-on, strategic workflows and approval/escalation to a host of applications was not a smooth process.  In fact in the early 2000s the process involved prior to the technology was still being ironed out.  Many of the projects we worked on required a high level of customization and as a result the time to implement took in some cases years to complete.  During these multi-year engagements a good number of projects failed to get off the ground or changed scope so many times that in the end the effort was deemed a failure or not what is was originally sold as.

Eventually sanity won out and most organizations realized that Web Access Management, Provisioning and further more Federation and Role Management were separate sides of the Identity Management box.  Instead of one large “Big Bang” a step by step approach gained traction as a method to actual success.  Many of the larger organizations even split Access Management and Identity Management into strongly separate buckets with their own teams and infrastructure.  Gone are the days where Access Manager and Identity Manager are viewed as the same application.  Today the products are treated as interconnected but individual pieces complimenting each other even when they fall into the same stack.  This can be seen in the job reqs that many organizations release when looking for a technical resource.  5 years back recruiters were still looking for the Jack-of-All trades Engineer/Developer/Architect/PM that knew the SSO, Provisioning, Federation, Role Management and Password Management tools from the 4 different vendors (my personal favorite being when the recruiter would then say a “junior” resource for said position was OK as a method to justify the sub-par rate, as if such a “junior” person existed with that level of knowledge).

The big company buy-up of the old Venture Capital backed firms yielded a greater maturity in the market and a fierce rivalry in the market place.  In fact the biggest players are now Oracle, IBM, CA, Novell, and to a lesser extent BMC and a hard charging Microsoft.  What is interesting though is as of a few years back the next generation of VC based IAM start-ups popped up and we are seeing history repeat itself with the next wave of industry consolidation.

For instance, take a look at the Role Management and Identity Governance market place.

Bridgestream Roles and Vaau RBACx got scooped up by Oracle and Sun and subsequently Vaau won the application war as Oracle’s preferred Role application (under the unfortunately named Identity Analytics banner).

Aveksa and Sailpoint popped up to not only compete in the same space but to offer superior products to manage compliance with HIPAA, SarBox and the like moving beyond solely role management into the governance and compliance management space.

Eventually, as is the case in the IAM space one, one or both companies are likely to be acquired.  Where they will land is open to conjecture but like all Venture Capital based opportunities you are either a resounding success in the sales game or you are a cheap acquisition target.  I have my own guesses as to what comes next for both companies but alas that is a topic for another blog entry.

As for the announcement of Passlogix being acquired, Oracle has a strong set of tools in the space covering all facets of Identity and Access Management.  They are truly becoming the Walmart of the Identity World.

Tags: , , , , , , , , , , , ,
Posted in Access Management, Aveksa, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Password Management, RBAC, Role Management, SailPoint, Security & Risk, Sun Identity & Access Management, Vaau | 1 Comment »

GINA Chaining Problems

Friday, October 8th, 2010

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

I resolved a problem for a client recently that brought light to a potential problem that isn’t always apparent with Desktop Password Reset applications, like Passlogix SSPR (Self-Service Password Reset) software.  The GINA chain created by using multiple GINAs (Graphical Identification and Authentication DLL) can be broken or malformed to create a loop which will put the machine into a state where a user cannot log onto the machine.

Before I explain the problem and solution, a little background about SSPR and GINAs.  The SSPR software consists of a client software package that adds a title bar to the standard Windows logon. The client connects to a web server that prompts the user to answer security questions before allowing the user to reset his/her Windows password.  This is a great tool that is easy to use and can drastically reduce helpdesk calls.  The real power of the tool is that the prompt to reset the user’s password is available even if the user can’t log into the machine.  Other tools use a standard website, but require that the user be logged into Windows to get to an internet browser.

This pre-logon title bar is implemented by using a custom GINA.  The Windows logon process uses a file named msgina.dll which provides the Windows logon box that everyone is familiar with.  SSPR installs a custom GINA name ssogina.dll.  In order to use both GINAs, a GINA chain is created.  The top GINA is set in the Windows registry in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL.  After the SSPR install, the GinaDLL will be set to ssogina.dll.  Passlogix then adds custom registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Passlogix that points the product to the msgina.dll.  The GINA chain is created where SSPR GINA points to the MSGINA and allows both to function. Many products including hardware-encryption, VPN, smartcard, and fingerprint software all use custom GINAs to enable pre-Windows login functionality.  Multiple custom GINAs can be added to the GINA chain.

The problem arises when the GINA chain contains 3 or more GINAs and products are installed/uninstalled.  The problem is all about order of installation and subsequent uninstallation.  In a 3 GINA chain example, the PointSec GINA points to the SSPR GINA, which the points to the MSGINA.  This GINA chain would be created if SSPR is installed first and then PointSec is installed.  Take the same GINA chain (PointSec->SSPR->MSGINA), if SSPR is uninstalled and then reinstalled, which is common if the product were to be upgraded, the SSPR would be set as the top GINA.  The problem arises because the PointSec registry keys were not changed during the SSPR uninstall.  The GINA chain is now SSPR->PointSec->SSPR->PointSec->SSPR and on and on forever.  This causes a loop in the GINA chain and the machine never calls the MSGINA and the machine is unusable.

To remediate this problem, you can run Windows in Safe Mode (which disables custom GINAs) and reset the GinaDLL key to msgina.dll.  That will allow users to log into Windows again.  The overall solution is to make sure the GINA chain is cleaned up when products are uninstalled.  Calling in custom scripts or adding registry keys in an MSI during uninstallation can be used to forcibly set the GINA chain to the desired settings.  Manipulating the GINA chain normally involves a little extra design, configuration, and testing, but can save you from incapacitating entire groups of machines when deploying software.

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , ,
Posted in Access Management, Enterprise Single Sign On (ESSO), Password Management, Tips & Tricks | No Comments »

Baby Steps – Password Management

Thursday, July 29th, 2010

To build on an earlier posting, I would like to touch on the phased approach to implementing an Identity Management solution. I was recently on an engagement where the customer requested that we implement an identity management product and an single sign on product to perform a simple phase one approach. The project had a primary focus on password management on the Identity Management side and Web SSO to a handful of key applications for the customer. Within three weeks we implemented password synchronization from AD to IdM and three secondary resources, Forgotten password management using custom Questions and Answers, and password reset via a web interface. We also implemented Web SSO to a handful of key enterprise applications.

The key point here is that the project was focused and limited to a specific achievable goal. The project was a success in a short period of time and produced a quick win for the vendor, the customer and our team. Password management and Web SSO are fairly straight forward and simple parts of an Identity and Access Management project and they produce highly visible and easy to quantify ROI for the customer. The visibility is across the board.

The end user experience of being able to login once to access much of their entitlements, to clicking on a simple link if they forget their passwords, to having their passwords automatically synchronized across the enterprise when they change it.

System Administrators and Help Desk personnel are able to focus on more important aspects of their jobs and less on resetting passwords.

Management can watch as the number of help desk tickets and the productivity of their System Administrator teams improves.

Password Management is a great first step towards easing the administrative burden on some of the same teams that will be key in implementing future phases if the IAM infrastructure. It is a great strategy that many enterprises miss out on when they attempt a “Big Bang” implementation and end up with a fragmented solution and a stressed out project team. I can’t stress enough how important it is to only bite off only what you can chew and allow the ‘Process’ to work for you.

Tags:
Posted in Access Management, Best Practices, Identity Management, Password Management, Roadmap | No Comments »

Provisioning Roadmap

Monday, July 19th, 2010

Identity Management – Best Practices

With the current regulations and audit requirements being placed on organizations, many companies are looking to Identity Management (IdM) solutions to help achieve control of who has access to what resources. This includes not only the provisioning of access rights, but also the ability to change access when individuals change positions, and rapidly and completely remove access when employment in terminated.

The available commercial off-the-shelf (COTS) applications are very capable of performing these tasks in an automated fashion and include many features such as enterprise wide password management, self serve functionality, approval workflows, timed events, high privilege account management (firecall accounts), Role Based Access Control (RBAC), and compliance reporting. With all these capabilities, it becomes obvious in a very short period of time that these features will provide great value to an organization by eliminating or reducing manual processes, decreasing potential for human error, improving the time to productivity of new employees, and maintaining control of who is accessing what resources.

The identity management companies will be more then happy to tell you all the wonderful benefits available with their products, these benefits can be huge. What you may have difficulty determining is what it is going to take to deploy this software. During the sales cycle, you will hear many grand stories of how a vendor can assess your environment and accurately design an implementation solution within a couple of brief weeks — and that the actual deployment will take place and be in production in no time. This is also where the flashing red lights should go off with a large blinking “warning” sign in your head.

Let’s face it, in order to properly deploy an enterprise-wide IdM solution, you are redefining how a critical component of your business operates, or, in other words, you’re taking on a business re-engineering effort. To suggest that this can be done in a short period of time with little design effort is not only unrealistic, but rather insulting. Now with a bit of the dirty laundry about identity management on the table, let’s talk about a realistic approach if you truly plan on succeeding with this endeavor.

Consulting Versus In-House

Many companies have attempted to deploy IdM solutions on their own with varied levels of success. Unless you have resources on staff with a significant amount of experience in this area, experts suggest you consider hiring a company that is well versed in the technology you choose. These projects consist of a plethora of integration activities along with very detailed configuration parameters, requiring individuals skilled in many different areas. Of course, there are many training courses available to teach the technology. However, it has been proven time and again that, without real world deployment experience, the information gained in the training class will only take you about half the distance required to handle a full-blown production deployment.

In the interest of becoming self sufficient in the shortest order of time, sending your staff to training just before the implementation activities begin, and then having them work side by side with the consulting team, produces the best results. This allows the freshly trained staff member to work with experienced individuals in their own environment.

Over the past several years, best practices have proven that multi-phased implementations are truly the only realistic approach. By training your staff early and then having them work with the consultant on the first couple of phases, they will be much better prepared to proficiently handle the additional phases with little or no assistance.

Design As You Go – Not Likely

If you are led down a path that suggests the assessment, design, and deployment of your IdM solution can be done in a few weeks, be assured that what will really be happening is a “design as it’s built” approach, and you will be riddled with change orders.

A similar scenario would be to hire a builder who presents you with a plan for a house that has a foundation, four walls, and a roof and will cost you $100,000 for live-in conditions. You sign the contract, and when the job is just about done, the contractor approaches you and inquires if you would also like windows in this house. Rather perplexed that this had not already been done in the initial phase of the project, you nod yes. He then tells you that an additional $50,000 is required to have that feature and he has to cut holes in the new walls. He then asks if you plan on having separate rooms in the house, which, again, of course you do, so now you need an additional $250,000. Next come questions about lights, bathrooms, kitchen, doors, etc. You get the point. For an additional $500,000 above the original estimate, you get the house you really wanted. Bottom line: you realize if you had hired an architect, all these things would have been handled initially. You would have known the true cost of the project at the get-go.

Like this scenario above, the proper approach to an IdM deployment is for your vendor to understand your requirements at the beginning, perform an assessment, and then develop a solution design. Of course, throughout the design, you should be interacting closely with the vendor to make sure that the end result is what you really want implemented.

Process is King

The way your company has evolved has been the impetus for many of your current methods of getting the job done. At the time it was done, it probably was the most efficient way to resolve the issue at hand, but over time you add more complexity, more features, more functionality, but rarely re-evaluate the method in which access is granted. This results in “wedging” in a quick fix to get the desired solution accessible in the quickest manner possible. This is all done to meet business requirements and to ignore that in the design phase would be irresponsible.

Remember, an IdM deployment is a business process re-engineering effort. In order for any vendor to properly deploy the solution, they must first gain an understanding of your current processes and requirements in order to ensure that the desired end result is achieved in the new solution. Once they have done that, the design process can begin, which should also have clearly defined “to be” process models.

Now that the requirements have been gathered, assessment and design completed, the vendor should be in a position to give you a very accurate statement of work and project plan that ties back directly to the design document.

Up to this point we have discussed what it takes to get to the deployment stages of an IdM solution. By now you may realize that these are the most critical elements to achieve success. Let’s face it, if you don’t have a road map, you will get lost and will be asking for a lot of costly directions.

Staged approach

A staged or “phased” approach to implementing an IdM Solution is the only realistic approach. This “phased” approach creates an organized time line and project plan for rolling out an IdM solution in the shortest possible amount of time and with the lowest possible costs for an organization, while at the same time minimizing risk in proportion to the scope and requirements of the entire project.

The simplest rationale to this implementation plan is to enable your internal staff with the appropriate skills as early as possible in each key stage and milestone to enable self-reliance as quickly as possible.

This approach also naturally restricts each phase into manageable chunks, while delivering clear, tangible value every step of the way, so your organization can commit to business-related deliverables and deliver those values and ROI as planned.

Phase 1: As soon as the base IdM solution is installed, the first few critical applications or back-end system should be integrated into the IdM system. Once those back-end resources are connected, orphan accounts will be identified, adopted and otherwise cleaned up, and self-service capabilities for that user base will be initiated for password resets and forgotten passwords.

Phase 1A should include the automatic provisioning and workflow for infrastructure accounts for those same critical systems. This process should be dynamically driven by attribute evaluation, based on organizational unit, job title, business role, etc. Once that process is complete, automated approval workflows and RFI workflows should be created.

Once Phase 1 and 1A are complete, they can be combined and repeated by your group to bring on other standard systems. We assume that during the first Phase 1 and Phase 1A, internal staff is learning the necessary skills in which to achieve this, so more activities can be conducted internally and in parallel as the project progresses, thus ultimately reducing your overall time-to-market and implementation costs.

Phase 2 will include all the non-infrastructure based applications and systems in your IdM implementation, and will be dependent on the integration of the systems rolled out in phases 1 and 1A.

Ultimately, lessons learned will enable refinement and replication across other business units. Although this project phase is the most complex and far-reaching, it ultimately will have the highest long-term rewards.

While implementing an IdM solution, it is recommended that to recognize the full value of that solution, organizations should be moving toward a role-based provisioning model. Phase 2 should include the formation of Role-Based Access Controls (RBAC) for out-of-the-box services and applications (services and applications which require custom connections into the system will be done in Phase 3). A full analysis of business role requirements will be conducted, as well as the mapping of business roles to actual user and group access rights. Depending on the size of the organization, this process can be conducted much more quickly and efficiently using a vendor-based solution.

Ultimately, once this mapping and analysis is complete, these roles and policies should be defined as either static or dynamic within the IdM system. Once this process is finished, provisioning and de- provisioning of access rights will be fully automated and role-driven.

Tags: , , , , , ,
Posted in Best Practices, Identity Management, Identity Provisioning, Password Management, RBAC, Risk & Compliance, Roadmap, Role Management, Security & Risk | No Comments »

Custom extensions for Citrix Password Manager

Thursday, July 8th, 2010

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Whether installed as a standalone solution or as a feature of a Citrix XenApp farm, Citrix Password Manager (CPM) provides a secure and effective Single Sign On (SSO) solution.  Users benefit from no longer having to remember (or worse jot down on scrap paper) the numerous credentials needed to access the systems they use.  Organizations benefit from reduced Help Desk/Password Reset activities and greater control over user credentialing processes. Add in provisioning services, Windows account reset, and Smart Card integration and you have an solution that can rapidly fill many pressing security needs.  Complexity associated with installation and configuration of the system is driven largely by the existing infrastructure and applications, but Citrix does a fairly good job of limiting the moving pieces and the installation process is straightforward.  Basically you’ll need to get 4 things in place:

  1. A Central Store to keep all those credentials.  Citrix supports Active Directory, NTFS File Share, and Novell shared folder repositories.
  2. A client side application to retrieve credentials from the Central Store, cache them to the local machine, and submit them to the application
  3. A License Server as Citrix has this crazy notion about getting paid for some reason
  4. Application definitions that define how CPM should identify and react to applications of interest

For Application Definitions, Citrix provides a tool cunningly call the Application Definition Tool that walks you through the process.  Definitions can be created to handle Logon events as well as Password change events.  The latter includes Password Format validation designed to help the user (or even CPM itself) create a password that meets each application’s strength, length, and complexity requirements.  CPM provides these wizards for typical Windows applications, Web based applications, as well as Host based applications presented to the user in a HLLAPI compliant emulator.  Each has its individual quirks, but most technical professionals, even managers, will find the process straightforward.

There are times, however, that even the best efforts of Citrix and the Application Definition Tool are not up to the task.  For those situations allows CPM to call external applications that can manage credential submission.  The external applications can be written in any Windows compliant language and once again Citrix provides a fairly straight forward path.  Again a quick look at the moving parts:

  1. An Application Definition is still required to identify the application of interest. The key difference, however, is that instead (or in addition to) having CPM take actions upon the application itself, CPM executes you custom extension.   Since the users local credential store is encrypted and in accessible to any other applications CPM can be instructed to pass credential information to the external application as command line parameters.
  2. Since the Application Definition is only told  the name of the executable, a registry key of the same name located at [HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password
    Manager\Extension\{ExtensionName}] where {ExtensionName} is replaced with the name that you gave to the Application Defintion. Of the several values that need to be set in the key, there are two that are the most interesting. The ‘Excutable’ value must contain the path to the extension’s compiled binary. The ‘Arguments’ value would contain any commandline parameters that you like passed. For instance, a value of “/u $_USERNAME /p $_PASSWORD” will pass the UserName and Password for the extension’s use.
  3. The extension itself placed in the folder identified in the key above.

Each of these elements must be installed on each client machine that will use the extension, but once it is the possibilities are endless.  As compiled Windows applications, extensions have the ability to access any and all services available to any other application.  In addition, they could be used to access other systems that may be in place.  External auditing applications, usage tracking services, extended logging, real time centralized validation…. literally any application or service that you have, or want to create, can be accessed and integrated into your custom extension.

Questions? Feel free to ask away at IDMWorks.

Tags: , , , ,
Posted in Citrix, Citrix Password Manager, Citrix XenApp, Password Management, Tips & Tricks | No Comments »