Posts Tagged ‘GRC’

Identity Management & the Art of Removing Cloud Security Obstacles

Thursday, February 17th, 2011

First the fun, why Cloud?  Well, we seem to define this a lot here at IDMWorks.

The quick and dirty:

1. Pay As You Go Approach to IT
There is no upfront cost and this helps keep the cost down for the service consumers. Cloud computing is a pay-as-you-go approach, in which a low initial investment is required to get started, and additional investment is incurred as system usage increases.

2. Highly Available Infrastructure
Many cloud providers sell their service as highly available. This gives Cloud services the aura of a utility which is an always on and that can be leveraged anytime and from anywhere.

3.  Strong Time to Value Ratio
With Cloud computing organizations realize benefits more rapidly than with the traditional packaged software use model. In the traditional IT model, a large investment is made early in the project prior to system build out, and well before tangible business benefits are realized. This model has several risks associated with it since a large percentage of IT projects are cancelled due to poor ROI or user acceptance. Cloud provides IT a way to outsource non critical functions to an organization better equipped to run those services.

4. Flexible Computing Model
Cloud computing offers much more flexibility than traditional computing models. Your Employees can access information wherever they are rather than having to be restrained to their desktop.

5. It’s Simple
One of the advantages of cloud computing is that businesses of all sizes can instantly obtain the benefits of the enormous infrastructure without having to implement and administer it directly.

Enough of the pitch, now on to Identity Management in the Cloud

Cloud Identity Challenges:

1. User Lifecycle Management:
New Cloud applications bring new complications of management, more costs and administrative hassles. You may have invested hundreds of thousands or even millions in enterprise provisioning software only to find out that it does nothing to address your identities in the Cloud. There could be windows of time where your terminated contractors may not have been de-provisioned from critical applications.   As such, organizations will quickly find out they need a centralized infrastructure to manage user identity information effectively.  Further, explosive growth in the use of web applications increases the complexity and administrative overhead of which users should be entitled to access across applications. So it is critical in the cloud framework to be able to facilitate self-service registration whenever possible. This can lead to better agility, reduced help desk costs and higher convenience for end users.

2. Compliance:
As more services and applications are being provided by 3rd parties, organizations have new compliance issues to worry about. The more sensitive data we have via these 3rd party applications the more we need to be able to enforce the types of controls that allow us to be compliant.

3. Federated Authentication:
The ability to collaborate seamlessly with your partners, vendors, and customers. An organization may already have all of its internal user identities stored in Active Directory and its external users such as partners and vendors in an LDAP directory and the organization may want all of their users to leverage an external cloud application without replicating all of that identity information in a third party product. Many organizations also want the convenience of having their users sign on once to access not only internal applications but also SaaS applications in the cloud.

Cloud Identity Solutions:

1. User Lifecycle Management:
Identity Administration helps solve the user lifecycle management challenge and many other common issues such as self service registration and compliance reporting.  Automation of provisioning and de-provisioning of users and administering user identities for both on premise and cloud applications will bridge the security gap regardless of the size of the network.  The addition of Role Based Access Control (RBAC) allows for when a user changes a role they are automatically de-provisioned from systems no longer needed and added to new ones relevant to their new role.  Additionally, automated Identity Administration allows us to identify and remediate orphaned accounts (those accounts with long gone owners).

Throw in user self-service access requests and self-service password reset capabilities and the User Lifecycle Process can be fully automated across the Cloud.

Need this to be standards driven?  Let’s implement SPML connectors.

2.  Compliance:
Simply put, utilize Identity Management tools to log and report Who has access to What, When, Why, and How and fulfill those pesky regulatory requirements, such as Sarbanes-Oxley, 21 CFR Part 11, Gramm-Leach-Bliley, HIPAA, and HSPD-12.

3.  Federated Authentication:
Need to collaborate seamlessly and yet securely across complex heterogeneous environments?  Make sure your Single Sign-On solution can support SAML, Windows CardSpace, WS-Fed and/or OpenID.

In summation, contact IDMWorks and let us help you plan your Cloud based Identity & Access Management (IAM) security solutions around the core tenets:

1. Identity Management

a. Roles based User Provisioning

b. Self-Service Request &  Approval

c. Password Management

2. Access Management

a. Authentication & Fraud Prevention

b. Single Sign-On & Federation

c. Authorization & Entitlements

d. Web Services Security

e. Information Rights Management

3. Governance, Risk and Compliance (GRC)

a. Analytics

b. Fraud Prevention

c. Privacy Controls

Tags: , , , , , , , , , , , , , , ,
Posted in Access Management, Cloud Computing, Identity Management | 1 Comment »

Aveksa Post Unification Customization

Wednesday, January 26th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Often times our clients want to create another identity attribute that is “calculated“.  Maybe this is an overall status, or perhaps it’s an overall supervisor.  Either way, you can implement a customization to accomplish this (and it’s a little complicated so I have two sets of instructions, one for the business user, and the other for the technical user).

Business Instructions:

  1. Inventory the custom attributes that you would like to aggregate / evaluate (typically in the form of CUS_ATTR_CAS_1##)
  2. Develop a SQL query that does what you need to do with these attributes
  3. Put the SQL query in the correct package file
  4. Import the changes into the database
  5. Test your changes

Technical Instructions:

  1. Login to your database instance, query the database to find out the names of the attributes that you’re interested in:
    2. e.g. select * from t_extensible_schema_columns where display_name like'%status%';
  2. Develop the SQL query based on these attributes that does what you need.
  3. Create the following directory 
    ~oracle/database/packages/custom
  4. Copy over the .pkb and .pks files into this custom directory and add your changes to the .pkb file
  5. Launch sqlplus from the custom directory and login as AVUSER
  6. Now import the .pkb and .pks scripts as follows:
    7. @'your_package_name'_Pkg.pks;

@'your_package_name'_Pkg.pkb;
  7. Now you can log back into the GUI and test your changes

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , ,
Posted in Access Management, Aveksa, Best Practices, Role Management, Security & Risk, Tips & Tricks | No Comments »

Zen and the the Art of Identity Management

Monday, November 15th, 2010

Interestingly enough I have been asked many times as to what exactly IDMWorks is and what it is that we do (and I don’t just mean the wife and kids).  As such it seems time to do the quasi-annual blog sales pitch.  I think most of our readers have an idea what we do and have perused the site to better inform themselves but there are some that don’t tread any farther than this here blog.  So in keeping with the simplicity of blogvertising I present you IDMWorks.

Subject:  Enterprise Identity & Access Management and Governance, Risk & Compliance

You may be aware of many of the issues organizations are facing today around the various challenges and aspects of Identity Management and Information Security.

At IDMWORKS we understand the problems that many of you are facing and are positioned to help.  IDMWORKS is a vendor agnostic, Identity Management, Access Management, and Governance, Risk and Compliance Management Consultancy. We have consultants and engineers across the United States and North America that specialize helping clients with most aspects of Identity, Access Management, and GRC issues, including the following:

  • Identity and Access Management technology evaluations and POCs
  • Identity Management strategy creation, Integration and Deployment
  • Identity Management / IT Security Technologies Assessment, Evaluation,  and Planning
  • Identity Management / IT Security Education
  • Pre & Post Identity Management project Support Services
  • Identity Federation
  • PCI Compliance
  • Governance, Risk and Compliance Management , Provisioning
  • Single Sign-on and Web Access management
  • Data Loss Prevention

IDMWORKS has been built upon the skills and experience of dedicated IDM professionals and specialist with a customer base that includes Government, Healthcare, Education, Financial Services, Energy, Manufacturing and Retail clients.

IDMWORKS has experience with the integration and implementation of the market  leading Identity & Access Management, and GRC solutions and technologies – CA, Oracle/Sun, Novell,  IBM,  Aveksa, Citrix, Passlogix,  and Sailpoint, to name a few – and would welcome the opportunity to discuss your IT Security needs to determine how we can help.

We would like to offer you the opportunity to take advantage of an initial Identity Management, and Compliance Assessment. The results of the assessment will include recommendations on potential solutions to address your current Identity management and GRC related issues.

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , , , , , , ,
Posted in Access Management, Aveksa, Best Practices, CA, CA Identity Manager, CA SiteMinder, Citrix, Citrix Password Manager, Citrix XenApp, Cloud Computing, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Role Manager, Password Management, PCI Compliance, RBAC, Risk & Compliance, Roadmap, Role Management, SailPoint, Security & Risk, Single Sign On (SSO), SOA, SRM, Sun Identity & Access Management, Sun Identity Manager | No Comments »

State of the Union

Saturday, October 9th, 2010

Last week Oracle announced they had purchased Passlogix (best known for the V-GO ESSO application) and this got me thinking about the changes in the last 10 years in the Identity Industry.

A decade ago you had start-ups galore.  Business Layers (eProvisioning), Netegrity (SiteMinder), Access360, Thor (Xellerate), Waveset, Oblix, Trulogica, M-Tech and Courion, too name a few, almost all of which were acquired.

Business Layers got acquired by Netegrity who got subsequently acquired by CA.  Access360 got acquired by IBM as part of the Tivoli Identity Manager product.  Thor got acquired by Oracle, Waveset by Sun and subsequently Oracle, Oblix by Oracle as well (I am sensing a trend here by the way).  Trulogica got acquired by HP where it saw its demise.  M-Tech became Hitachi and Courion bucked the trend and stayed Courion.  Even the smaller space tools like Maxware got picked up by SAP.  In fact, up until the last few years, we have remained in the land of the Big Company Identity Stack.

So how did we get there?

Back in the day IDM was slowly being looked at as the next wave in Risk and security.  The issue at the time was that the products were very green and lacked the technical maturity to make implementation a worthwhile process.  Sure, the low hanging fruit of automagically creating an Active Directory or Netware account was a breeze but the implementation around single sign-on, strategic workflows and approval/escalation to a host of applications was not a smooth process.  In fact in the early 2000s the process involved prior to the technology was still being ironed out.  Many of the projects we worked on required a high level of customization and as a result the time to implement took in some cases years to complete.  During these multi-year engagements a good number of projects failed to get off the ground or changed scope so many times that in the end the effort was deemed a failure or not what is was originally sold as.

Eventually sanity won out and most organizations realized that Web Access Management, Provisioning and further more Federation and Role Management were separate sides of the Identity Management box.  Instead of one large “Big Bang” a step by step approach gained traction as a method to actual success.  Many of the larger organizations even split Access Management and Identity Management into strongly separate buckets with their own teams and infrastructure.  Gone are the days where Access Manager and Identity Manager are viewed as the same application.  Today the products are treated as interconnected but individual pieces complimenting each other even when they fall into the same stack.  This can be seen in the job reqs that many organizations release when looking for a technical resource.  5 years back recruiters were still looking for the Jack-of-All trades Engineer/Developer/Architect/PM that knew the SSO, Provisioning, Federation, Role Management and Password Management tools from the 4 different vendors (my personal favorite being when the recruiter would then say a “junior” resource for said position was OK as a method to justify the sub-par rate, as if such a “junior” person existed with that level of knowledge).

The big company buy-up of the old Venture Capital backed firms yielded a greater maturity in the market and a fierce rivalry in the market place.  In fact the biggest players are now Oracle, IBM, CA, Novell, and to a lesser extent BMC and a hard charging Microsoft.  What is interesting though is as of a few years back the next generation of VC based IAM start-ups popped up and we are seeing history repeat itself with the next wave of industry consolidation.

For instance, take a look at the Role Management and Identity Governance market place.

Bridgestream Roles and Vaau RBACx got scooped up by Oracle and Sun and subsequently Vaau won the application war as Oracle’s preferred Role application (under the unfortunately named Identity Analytics banner).

Aveksa and Sailpoint popped up to not only compete in the same space but to offer superior products to manage compliance with HIPAA, SarBox and the like moving beyond solely role management into the governance and compliance management space.

Eventually, as is the case in the IAM space one, one or both companies are likely to be acquired.  Where they will land is open to conjecture but like all Venture Capital based opportunities you are either a resounding success in the sales game or you are a cheap acquisition target.  I have my own guesses as to what comes next for both companies but alas that is a topic for another blog entry.

As for the announcement of Passlogix being acquired, Oracle has a strong set of tools in the space covering all facets of Identity and Access Management.  They are truly becoming the Walmart of the Identity World.

Tags: , , , , , , , , , , , ,
Posted in Access Management, Aveksa, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Password Management, RBAC, Role Management, SailPoint, Security & Risk, Sun Identity & Access Management, Vaau | 1 Comment »

The Case for Access Governance

Thursday, September 30th, 2010

Well, if you are a CISO, CRO, CCO, CFO, CTO, a Business Manager, the VP of Enterprise Security, the VP of Internal Audit or in the IT Governance Audit department YOU DO………

Here are just a few of the reasons WHY

The CFO concentrates on expenditure….. As CFO you will want to keep the internal and external audit costs to a minimum as well as making sure that the finance department is compliant with regulations.

The CTO has to focus on the overall management of IT… As CTO you don’t want to worry about access rights and policies. You want an appropriate system to manage that for you.

The Business Manager is just that, all about the business…As part of the Business management team you want to do your job efficiently and profitably by making sure that users get the correct permissions and that the certification process is easy for you to understand without wasting your valuable time.

As for the rest of the illustrious cast, you all want to achieve sustainable audit worthy compliance processes that are effective in minimizing costs and exposure to business risk with timely, accurate delivery of appropriate access to users.

OK so that’s the who needs section and why you need it……now for some key reasons that may influence your decision to purchase and implement an access governance solution across your enterprise.

  • Are you facing an upcoming audit?
  • Do you have Audit issues related to access (SOX 404 segregation of duties and privileged account access issues – access risks that create GLBA/Basel/Solvency violations)?
  • Do you need to contain or reduce the costs of compliance?
  • Do you want to  implement enterprise roles to simplify and streamline the access request and delivery process?
  • Do you have a complex manual approach for access review and certification that uses multiple spreadsheets and is labor intensive?
  • Have you  experienced a data loss or a negative impact on the business due to misuse of access?

So what’s the next step?

If you realize that you are facing one or more of the above challenges may I respectfully suggest that you contact IDMWORKS to work out the finer details. We have a dedicated team of Identity and Access Management  professionals who will provide full program management services to incorporate new process, technology and functionality, ensuring success throughout the project lifecycle.

And the step after?

So now that you have recognized that there may be some issues that need addressing it’s time to think about product. IDMWORKS is ideally positioned to guide you through that selection and deploy the solution on your behalf.

.

Tags: , , , ,
Posted in Aveksa, GRC, Role Management, SailPoint | 1 Comment »

PCI yai yai!

Wednesday, August 18th, 2010

If your business accepts or processes payment cards, it must comply with the PCI DSS (Payment Card Industry Data Security Standards). All businesses and merchants that store, process and or transmit card holder information are now required to be PCI compliant.

PCI DSS is a set of requirements for enhancing data security. This originally began as individual programs from Visa, MasterCard, American Express, Discover, and JCB. To facilitate the broad adoption of consistent data security measures Visa, MasterCard, American Express, Discover, and JCB aligned their individual policies to release the Payment Card Industry Data Security Standards.

In today’s economy, with merchants and business owners required to thoroughly evaluate operating costs, merchant processing fees are an area frequently overlooked. Evaluating and comparing merchant processing solutions including fees for services, such as PCI compliance for your business, can be well worth the time it takes and may result in considerable savings for your company.

Many companies are struggling with some of the same issues repeatedly around PCI DSS compliance and Governance.  First and foremost, companies need to know whom and how to pay for PCI Compliance and where the ROI is.  Second,  how do companies free up the System administrators to do what they pay them to do (administer systems that is).  Whether they be network engineers, UNIX administrators, or Windows administrators (to name a few); too often organizations have turned our technical assets into grumpy compliance administrators and/or control owners.  I think we all know how much system administrators just love to get involved in compliance and governance (can someone get Johnny form under his desk and let him know I’m not here for PCI, SOX and Audit).  Third, spreadsheets, spreadsheets, spreadsheets.  Did I mention spreadsheets?  I’m not sure about how much I need to elaborate here, but multiple spreadsheets housing your control environment assures that everyone is working off a different set of controls.

Too often we task our administrators to be owners of controls that are poorly written (often by other System Administrators).  Most times these controls are written very broadly and are not housed in a central repository (which, by the way, external auditors love to flag).  With broad controls the external auditor can test what they believe the control defines, often times leading to the entire control failing and thus having to be retested.  Additionally, we do not supply our System administrators with the correct tool set, what tools says Johnny.  We spend many times manually going through IOS Code, systems logs, Active directory logs, and of course spreadsheets to try to test controls and assure governance.

This is where IDMWorks can come in.  IDMWorks QSA’s can build a framework based on Risk Drivers, write general controls that can be applied to most standards, build automation into the process, reduce your external audit time by 50% (ROI), and assist you with writing solid test plans to execute.  Look at IDMWORKS as your tax preparer, but for Compliance and Governance.  Creating a new framework along with solid test plans assure a very efficient process to reduce the amount of time wasted by your external auditor during the testing of poorly defined controls.  Additionally poorly written test plans are part of this spiral of non compliance.  IDMworks takes a practical approach that will assure your PCI certification and reduced your audit cycle and costs.

Tags: , , , , ,
Posted in Governance, PCI Compliance, Risk & Compliance | 4 Comments »