Archive for the ‘Roadmap’ Category

Why use Identity Management Standards?

Monday, February 21st, 2011

Why would an enterprise want to have standards support across all of their systems?

A typical enterprise has software and technology from more than just one vendor. They have technology from Oracle, Microsoft, IBM, SAP, etc.

They need their identity management systems to support standards and integrate well with all of the 3rd party systems they have in the typical enterprise. Thus, when selecting a vendor’s Identity Management software you should ensure it has been designed to work seamlessly using standards and when standards are not there it works in an integrated fashion with other enterprise applications.

There are many open standards for Identity and Access Management defined that can be implemented such as SPML for provisoning, SAML for federation, XACML for externalized authorization, Infocards, OpenID/Oauth for user-centric identity and IGF for identity governance.

Looking to produce an RFP for vendor selection? Give IDMWorks a shout.

Tags: , , , , , , , , , ,
Posted in Best Practices, Identity Management, Roadmap | No Comments »

So what is your Identity Strategy?

Thursday, December 23rd, 2010

When visiting a client, prospective client, or just having general discussions with folks, I find more often than not that an Identity Strategy is non-existent.  It’s not that Identity Management is being ignored, because plenty of companies have some form of IdM initiative under way, but, what I find is that there is a non-cohesive approach being taken.

At some point in time, perhaps, it is determined that a provisioning solution is required in a company. A solution is procured, installed, tested, and then placed into production generally supporting a few end-points. In many cases, the initiative stops there, while in other cases additional end points are added in an ad-hoc manner.

Typically there is another project undertaken, possibly by another group within the same company, to provide access management. Once again a few end-points are protected in the initial implementation with others added in a rather casual manner. Often this is done in silos without any regard to other initiatives or existing technology.

Subsequently the auditors come in and expose some or all of the violations of various regulations related to access, data protection, and the like. A flurry of activity occurs throughout the organization with people riffling through spreadsheets, adjusting access on the fly, and making somewhat ignorant decisions in a hurry. A COTS (Commercial off the shelf) solution may be brought into the mix to assist in expediting the overall process but by now you’re already behind the infamous eight ball.

In this example three different yet inter-related challenges have been approached to some degree.  Chances are that the technologies that were obtained don’t play well together, different firms were used to assist in the implementation, and let’s not even get into the details of integration, trouble-shooting or cost containment.

Unfortunately this scenario is commonplace and is disruptive at best.

Keeping this in mind and knowing that these issues exist within your organization does it not make sense to develop a strategy on how to holistically approach the challenge? You may be thinking that you already have one or two of the key elements that would be considered part of an Identity Management solution; thereby leading you to believe that you have a strategy.  I would argue that having a few components does not necessarily imply that you have a strategy, or for that matter, a well though out solution.

So where do we go from here?

First and foremost  take into account the current environment:

  • What does the current IT infrastructure look like?
  • What are the current business processes?
  • Do we understand the current state use cases?
  • Is the organizatuon exposed to internal and/or external attacks?
  • Are there active audit requirements?
  • Are there regulations to adhere to?
  • Are current and future business requirements understood?

So I pose this question, can you answer all of the above questions and provide the documentation to back it up? If the answer is yes then you are in great shape to begin putting together a strategy. If the answer is no then you are not quite ready to draft a meaningful strategy that will address short-term requirements and long-term goals.

Let’s assume for the sake of the discussion that all the information outlined above is available and in one place. The next step is to prioritize objectives. The drivers behind these objectives generally have meaningful business impact some of which are more urgent than others.

Now you need to understand the current state, potential exposures, business requirements, and priorities. It appears that you are ready to start applying solutions based on priority.  Right?

Well…..not so fast. If we are to apply new solutions we should really know:

a)    How will the organization process change?

b)   What do the future state use cases look like?

c)    How are the exposures addressed?

d)   Can the organization pass audits?

e)    How does the organization achieve and maintain regulatory requirements?

Answer these questions and you are at the point where the actual strategy can be developed. This initial part of the strategy should be done without taking specific products into consideration. Instead a process re-engineering approach that highlights functionality over technology should be pursued.  Technology is a method to implement your strategy but it is not your strategy. Once the above questions can be addressed, documented, and prioritized, it’s time to start considering specific technologies that will address the strategy.

At this point the business can decide to go through a Request for Proposal (RFP , Request for Information (RFI) , or go directly to a couple of trusted vendors in order to secure the best technology to address the strategy.  Regardless a decision can then be made on the best approach, the old one technological vendor (i.e. one throat to choke) to address all of the needs or a best of breed technology selection (like a Chinese restaurant menu, a little from column A a little column B) to address all of the needs.

Both of these approaches carry merit and a lot depends on your organization’s approach, methods and often, political leanings.

Once done it’s time to begin the tactical deployment and the real fun to begin.

Not that I am suggesting that any of this activity outlined within this blog is overly easy but ultimately taking the time and money up front to define a complete strategy is going to provide:

  • High impact by addressing the high priority business requirements first
  • Reduction of overall cost by having a defined plan and incorporating solutions to meet business demand as needed
  • The ability to define, build, maintain, and adapt a long term enterprise wide solution versus applying point solutions on the fly
  • The ability to apply technology solutions to address specific business needs (and not for the sake of the technology itself)

These can be muddy waters to navigate without a lot of understanding in process engineering, industry knowledge, technology skills, understanding of best practices, and broad insight into what has worked for other organizations.

Now for the rub…IDMWorks is a World Class consulting organization bringing years of proven experience in the Identity Management arena. We welcome the opportunity to help you define your Identity Strategy.

So feel free to contact us and let us show you how we can assist.

Tags: , , , , ,
Posted in Best Practices, Identity Management, Roadmap | 1 Comment »

Zen and the the Art of Identity Management

Monday, November 15th, 2010

Interestingly enough I have been asked many times as to what exactly IDMWorks is and what it is that we do (and I don’t just mean the wife and kids).  As such it seems time to do the quasi-annual blog sales pitch.  I think most of our readers have an idea what we do and have perused the site to better inform themselves but there are some that don’t tread any farther than this here blog.  So in keeping with the simplicity of blogvertising I present you IDMWorks.

Subject:  Enterprise Identity & Access Management and Governance, Risk & Compliance

You may be aware of many of the issues organizations are facing today around the various challenges and aspects of Identity Management and Information Security.

At IDMWORKS we understand the problems that many of you are facing and are positioned to help.  IDMWORKS is a vendor agnostic, Identity Management, Access Management, and Governance, Risk and Compliance Management Consultancy. We have consultants and engineers across the United States and North America that specialize helping clients with most aspects of Identity, Access Management, and GRC issues, including the following:

  • Identity and Access Management technology evaluations and POCs
  • Identity Management strategy creation, Integration and Deployment
  • Identity Management / IT Security Technologies Assessment, Evaluation,  and Planning
  • Identity Management / IT Security Education
  • Pre & Post Identity Management project Support Services
  • Identity Federation
  • PCI Compliance
  • Governance, Risk and Compliance Management , Provisioning
  • Single Sign-on and Web Access management
  • Data Loss Prevention

IDMWORKS has been built upon the skills and experience of dedicated IDM professionals and specialist with a customer base that includes Government, Healthcare, Education, Financial Services, Energy, Manufacturing and Retail clients.

IDMWORKS has experience with the integration and implementation of the market  leading Identity & Access Management, and GRC solutions and technologies – CA, Oracle/Sun, Novell,  IBM,  Aveksa, Citrix, Passlogix,  and Sailpoint, to name a few – and would welcome the opportunity to discuss your IT Security needs to determine how we can help.

We would like to offer you the opportunity to take advantage of an initial Identity Management, and Compliance Assessment. The results of the assessment will include recommendations on potential solutions to address your current Identity management and GRC related issues.

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , , , , , , ,
Posted in Access Management, Aveksa, Best Practices, CA, CA Identity Manager, CA SiteMinder, Citrix, Citrix Password Manager, Citrix XenApp, Cloud Computing, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Role Manager, Password Management, PCI Compliance, RBAC, Risk & Compliance, Roadmap, Role Management, SailPoint, Security & Risk, Single Sign On (SSO), SOA, SRM, Sun Identity & Access Management, Sun Identity Manager | No Comments »

Novell’s future, confusing at best…

Thursday, September 23rd, 2010

If you haven’t already heard, VMWare is thinking about buying Novell’s Linux platform, SUSE Enterprise Linux (a rumor since late August). This is a bold move for VMWare who has been seeing increasing competition from Microsoft and Oracle in the virtualization space.  Also, it will give Red Hat a run for its money in the Enterprise Linux business.

Questions abound…

1) What space will Novell concentrate on?

  • Identity & Security – check
  • Cloud – check
  • File Management Solutions – check
  • Platspin and other niche technologies – check

2) Does this mean that Novell is a better acquisition target now that they are a little smaller?

3) Will this cause any uncertainty when folks are buying Novell software?

All of this Novell acquisition talk makes me wonder about what the true Novell strategy is.

4) why would Novell give up a fantastic distribution of Linux (and all of the tools that come with it such as SuSE Studio)?

5) Given that some of our customers are VMWare and SuSE customers, this is fantastic news, however, for those that are VMWare and *nix customers, is this bad news?

I’m eager to see how this plays out in the next few weeks, even more eager to see what our customers will do should this purchase go through…

Any comments?

Tags: , , , , ,
Posted in Identity Management, Identity Provisioning, Novell, Novell Identity Manager, Roadmap, SLES, VMWare | 3 Comments »

Baby Steps – Password Management

Thursday, July 29th, 2010

To build on an earlier posting, I would like to touch on the phased approach to implementing an Identity Management solution. I was recently on an engagement where the customer requested that we implement an identity management product and an single sign on product to perform a simple phase one approach. The project had a primary focus on password management on the Identity Management side and Web SSO to a handful of key applications for the customer. Within three weeks we implemented password synchronization from AD to IdM and three secondary resources, Forgotten password management using custom Questions and Answers, and password reset via a web interface. We also implemented Web SSO to a handful of key enterprise applications.

The key point here is that the project was focused and limited to a specific achievable goal. The project was a success in a short period of time and produced a quick win for the vendor, the customer and our team. Password management and Web SSO are fairly straight forward and simple parts of an Identity and Access Management project and they produce highly visible and easy to quantify ROI for the customer. The visibility is across the board.

The end user experience of being able to login once to access much of their entitlements, to clicking on a simple link if they forget their passwords, to having their passwords automatically synchronized across the enterprise when they change it.

System Administrators and Help Desk personnel are able to focus on more important aspects of their jobs and less on resetting passwords.

Management can watch as the number of help desk tickets and the productivity of their System Administrator teams improves.

Password Management is a great first step towards easing the administrative burden on some of the same teams that will be key in implementing future phases if the IAM infrastructure. It is a great strategy that many enterprises miss out on when they attempt a “Big Bang” implementation and end up with a fragmented solution and a stressed out project team. I can’t stress enough how important it is to only bite off only what you can chew and allow the ‘Process’ to work for you.

Tags:
Posted in Access Management, Best Practices, Identity Management, Password Management, Roadmap | No Comments »

Provisioning Roadmap

Monday, July 19th, 2010

Identity Management – Best Practices

With the current regulations and audit requirements being placed on organizations, many companies are looking to Identity Management (IdM) solutions to help achieve control of who has access to what resources. This includes not only the provisioning of access rights, but also the ability to change access when individuals change positions, and rapidly and completely remove access when employment in terminated.

The available commercial off-the-shelf (COTS) applications are very capable of performing these tasks in an automated fashion and include many features such as enterprise wide password management, self serve functionality, approval workflows, timed events, high privilege account management (firecall accounts), Role Based Access Control (RBAC), and compliance reporting. With all these capabilities, it becomes obvious in a very short period of time that these features will provide great value to an organization by eliminating or reducing manual processes, decreasing potential for human error, improving the time to productivity of new employees, and maintaining control of who is accessing what resources.

The identity management companies will be more then happy to tell you all the wonderful benefits available with their products, these benefits can be huge. What you may have difficulty determining is what it is going to take to deploy this software. During the sales cycle, you will hear many grand stories of how a vendor can assess your environment and accurately design an implementation solution within a couple of brief weeks — and that the actual deployment will take place and be in production in no time. This is also where the flashing red lights should go off with a large blinking “warning” sign in your head.

Let’s face it, in order to properly deploy an enterprise-wide IdM solution, you are redefining how a critical component of your business operates, or, in other words, you’re taking on a business re-engineering effort. To suggest that this can be done in a short period of time with little design effort is not only unrealistic, but rather insulting. Now with a bit of the dirty laundry about identity management on the table, let’s talk about a realistic approach if you truly plan on succeeding with this endeavor.

Consulting Versus In-House

Many companies have attempted to deploy IdM solutions on their own with varied levels of success. Unless you have resources on staff with a significant amount of experience in this area, experts suggest you consider hiring a company that is well versed in the technology you choose. These projects consist of a plethora of integration activities along with very detailed configuration parameters, requiring individuals skilled in many different areas. Of course, there are many training courses available to teach the technology. However, it has been proven time and again that, without real world deployment experience, the information gained in the training class will only take you about half the distance required to handle a full-blown production deployment.

In the interest of becoming self sufficient in the shortest order of time, sending your staff to training just before the implementation activities begin, and then having them work side by side with the consulting team, produces the best results. This allows the freshly trained staff member to work with experienced individuals in their own environment.

Over the past several years, best practices have proven that multi-phased implementations are truly the only realistic approach. By training your staff early and then having them work with the consultant on the first couple of phases, they will be much better prepared to proficiently handle the additional phases with little or no assistance.

Design As You Go – Not Likely

If you are led down a path that suggests the assessment, design, and deployment of your IdM solution can be done in a few weeks, be assured that what will really be happening is a “design as it’s built” approach, and you will be riddled with change orders.

A similar scenario would be to hire a builder who presents you with a plan for a house that has a foundation, four walls, and a roof and will cost you $100,000 for live-in conditions. You sign the contract, and when the job is just about done, the contractor approaches you and inquires if you would also like windows in this house. Rather perplexed that this had not already been done in the initial phase of the project, you nod yes. He then tells you that an additional $50,000 is required to have that feature and he has to cut holes in the new walls. He then asks if you plan on having separate rooms in the house, which, again, of course you do, so now you need an additional $250,000. Next come questions about lights, bathrooms, kitchen, doors, etc. You get the point. For an additional $500,000 above the original estimate, you get the house you really wanted. Bottom line: you realize if you had hired an architect, all these things would have been handled initially. You would have known the true cost of the project at the get-go.

Like this scenario above, the proper approach to an IdM deployment is for your vendor to understand your requirements at the beginning, perform an assessment, and then develop a solution design. Of course, throughout the design, you should be interacting closely with the vendor to make sure that the end result is what you really want implemented.

Process is King

The way your company has evolved has been the impetus for many of your current methods of getting the job done. At the time it was done, it probably was the most efficient way to resolve the issue at hand, but over time you add more complexity, more features, more functionality, but rarely re-evaluate the method in which access is granted. This results in “wedging” in a quick fix to get the desired solution accessible in the quickest manner possible. This is all done to meet business requirements and to ignore that in the design phase would be irresponsible.

Remember, an IdM deployment is a business process re-engineering effort. In order for any vendor to properly deploy the solution, they must first gain an understanding of your current processes and requirements in order to ensure that the desired end result is achieved in the new solution. Once they have done that, the design process can begin, which should also have clearly defined “to be” process models.

Now that the requirements have been gathered, assessment and design completed, the vendor should be in a position to give you a very accurate statement of work and project plan that ties back directly to the design document.

Up to this point we have discussed what it takes to get to the deployment stages of an IdM solution. By now you may realize that these are the most critical elements to achieve success. Let’s face it, if you don’t have a road map, you will get lost and will be asking for a lot of costly directions.

Staged approach

A staged or “phased” approach to implementing an IdM Solution is the only realistic approach. This “phased” approach creates an organized time line and project plan for rolling out an IdM solution in the shortest possible amount of time and with the lowest possible costs for an organization, while at the same time minimizing risk in proportion to the scope and requirements of the entire project.

The simplest rationale to this implementation plan is to enable your internal staff with the appropriate skills as early as possible in each key stage and milestone to enable self-reliance as quickly as possible.

This approach also naturally restricts each phase into manageable chunks, while delivering clear, tangible value every step of the way, so your organization can commit to business-related deliverables and deliver those values and ROI as planned.

Phase 1: As soon as the base IdM solution is installed, the first few critical applications or back-end system should be integrated into the IdM system. Once those back-end resources are connected, orphan accounts will be identified, adopted and otherwise cleaned up, and self-service capabilities for that user base will be initiated for password resets and forgotten passwords.

Phase 1A should include the automatic provisioning and workflow for infrastructure accounts for those same critical systems. This process should be dynamically driven by attribute evaluation, based on organizational unit, job title, business role, etc. Once that process is complete, automated approval workflows and RFI workflows should be created.

Once Phase 1 and 1A are complete, they can be combined and repeated by your group to bring on other standard systems. We assume that during the first Phase 1 and Phase 1A, internal staff is learning the necessary skills in which to achieve this, so more activities can be conducted internally and in parallel as the project progresses, thus ultimately reducing your overall time-to-market and implementation costs.

Phase 2 will include all the non-infrastructure based applications and systems in your IdM implementation, and will be dependent on the integration of the systems rolled out in phases 1 and 1A.

Ultimately, lessons learned will enable refinement and replication across other business units. Although this project phase is the most complex and far-reaching, it ultimately will have the highest long-term rewards.

While implementing an IdM solution, it is recommended that to recognize the full value of that solution, organizations should be moving toward a role-based provisioning model. Phase 2 should include the formation of Role-Based Access Controls (RBAC) for out-of-the-box services and applications (services and applications which require custom connections into the system will be done in Phase 3). A full analysis of business role requirements will be conducted, as well as the mapping of business roles to actual user and group access rights. Depending on the size of the organization, this process can be conducted much more quickly and efficiently using a vendor-based solution.

Ultimately, once this mapping and analysis is complete, these roles and policies should be defined as either static or dynamic within the IdM system. Once this process is finished, provisioning and de- provisioning of access rights will be fully automated and role-driven.

Tags: , , , , , ,
Posted in Best Practices, Identity Management, Identity Provisioning, Password Management, RBAC, Risk & Compliance, Roadmap, Role Management, Security & Risk | No Comments »