Posts Tagged ‘IDM’

« Older Entries
Newer Entries »

Migrating away from Sun Identity Manager? If only it were that simple.

Thursday, March 3rd, 2011

Here at IDMWorks we get asked time and again to migrate from Sun Identity Manager to a number of products including Oracle, Novell, IBM, and CA Identity Manager.

We can tell you with no uncertainty that regardless of what a vendor or implementation partner has stated that there is no cut and dry methodology for “migrating” from Sun IdM to any of the other major IdM products.

As of now, there simply is no magic tool that you can use to export a Sun IdM environment into another product.  A vendor may be able to write a tool or two to migrate some of the important pieces of Sun IdM over, like resources, users, or basic meta-data that is common to all Sun IdM implementations (we speak from having done so a few times now ourselves) but as Identity Management is never a simple plug and play right out of the box, with no customization, it is not and cannot be done that simply.

So if you have a plain vanilla out-of-the-box implementation of Sun IdM, you might be in luck :) . If you’re like every Sun IdM implementation that IDMWorks has implemented, you have custom forms and workflows that have been written to facilitate your company’s processes for on-boarding, requests, off-boarding, approvals, etc.

The majority of these customizations are written in XPRESS.   XPRESS, unfortunately, is a proprietary XML language that was created expressly for the Waveset IdM product, which was purchased by Sun Microsystems, which was in turn purchased further down the road (and is being “phased out” under the name Oracle Waveset) by Oracle.  Each of the XPRESS forms and workflows is useless to another product.  Even if somehow translated they would be awkward at best to integrate into most other products as the product architecture and internal logic are very different.

The method many of our customers are taking to migrate is to document each process and configuration and create a migration plan to slowly bring up the new product solution to replace the functionality they currently have.  In other words, start from scratch using your original requirements and tools.  The key to success there is to have awesome, thorough, well planned and written documentation! Something we push VERY hard on our customer base here at IDMWorks.

With some luck (and a good vendor/partner) you have documented lessons learned from your original IdM implementation that you can use to expedite the new project and avoid some of the pitfalls that may have occurred the first time. The first and most important step to moving from one IdM platform to another is coming up with a rock solid migration plan that makes the transition as smooth as possible.

In all fairness, at IDMWorks, we don’t have the magic migration tool, but we do have the expertise to make your transition to a new IdM product a success.  Feel free to reach out to us to and let us show you what we can do to smooth the process.  As our front page says, “Get to know Peace of Mind”.

Tags: , , , , , , , , ,
Posted in Best Practices, Identity Management, Oracle Waveset, Sun Identity & Access Management, Sun Identity Manager | No Comments »

Identity Management & the Art of Removing Cloud Security Obstacles

Thursday, February 17th, 2011

First the fun, why Cloud?  Well, we seem to define this a lot here at IDMWorks.

The quick and dirty:

1. Pay As You Go Approach to IT
There is no upfront cost and this helps keep the cost down for the service consumers. Cloud computing is a pay-as-you-go approach, in which a low initial investment is required to get started, and additional investment is incurred as system usage increases.

2. Highly Available Infrastructure
Many cloud providers sell their service as highly available. This gives Cloud services the aura of a utility which is an always on and that can be leveraged anytime and from anywhere.

3.  Strong Time to Value Ratio
With Cloud computing organizations realize benefits more rapidly than with the traditional packaged software use model. In the traditional IT model, a large investment is made early in the project prior to system build out, and well before tangible business benefits are realized. This model has several risks associated with it since a large percentage of IT projects are cancelled due to poor ROI or user acceptance. Cloud provides IT a way to outsource non critical functions to an organization better equipped to run those services.

4. Flexible Computing Model
Cloud computing offers much more flexibility than traditional computing models. Your Employees can access information wherever they are rather than having to be restrained to their desktop.

5. It’s Simple
One of the advantages of cloud computing is that businesses of all sizes can instantly obtain the benefits of the enormous infrastructure without having to implement and administer it directly.

Enough of the pitch, now on to Identity Management in the Cloud

Cloud Identity Challenges:

1. User Lifecycle Management:
New Cloud applications bring new complications of management, more costs and administrative hassles. You may have invested hundreds of thousands or even millions in enterprise provisioning software only to find out that it does nothing to address your identities in the Cloud. There could be windows of time where your terminated contractors may not have been de-provisioned from critical applications.   As such, organizations will quickly find out they need a centralized infrastructure to manage user identity information effectively.  Further, explosive growth in the use of web applications increases the complexity and administrative overhead of which users should be entitled to access across applications. So it is critical in the cloud framework to be able to facilitate self-service registration whenever possible. This can lead to better agility, reduced help desk costs and higher convenience for end users.

2. Compliance:
As more services and applications are being provided by 3rd parties, organizations have new compliance issues to worry about. The more sensitive data we have via these 3rd party applications the more we need to be able to enforce the types of controls that allow us to be compliant.

3. Federated Authentication:
The ability to collaborate seamlessly with your partners, vendors, and customers. An organization may already have all of its internal user identities stored in Active Directory and its external users such as partners and vendors in an LDAP directory and the organization may want all of their users to leverage an external cloud application without replicating all of that identity information in a third party product. Many organizations also want the convenience of having their users sign on once to access not only internal applications but also SaaS applications in the cloud.

Cloud Identity Solutions:

1. User Lifecycle Management:
Identity Administration helps solve the user lifecycle management challenge and many other common issues such as self service registration and compliance reporting.  Automation of provisioning and de-provisioning of users and administering user identities for both on premise and cloud applications will bridge the security gap regardless of the size of the network.  The addition of Role Based Access Control (RBAC) allows for when a user changes a role they are automatically de-provisioned from systems no longer needed and added to new ones relevant to their new role.  Additionally, automated Identity Administration allows us to identify and remediate orphaned accounts (those accounts with long gone owners).

Throw in user self-service access requests and self-service password reset capabilities and the User Lifecycle Process can be fully automated across the Cloud.

Need this to be standards driven?  Let’s implement SPML connectors.

2.  Compliance:
Simply put, utilize Identity Management tools to log and report Who has access to What, When, Why, and How and fulfill those pesky regulatory requirements, such as Sarbanes-Oxley, 21 CFR Part 11, Gramm-Leach-Bliley, HIPAA, and HSPD-12.

3.  Federated Authentication:
Need to collaborate seamlessly and yet securely across complex heterogeneous environments?  Make sure your Single Sign-On solution can support SAML, Windows CardSpace, WS-Fed and/or OpenID.

In summation, contact IDMWorks and let us help you plan your Cloud based Identity & Access Management (IAM) security solutions around the core tenets:

1. Identity Management

a. Roles based User Provisioning

b. Self-Service Request &  Approval

c. Password Management

2. Access Management

a. Authentication & Fraud Prevention

b. Single Sign-On & Federation

c. Authorization & Entitlements

d. Web Services Security

e. Information Rights Management

3. Governance, Risk and Compliance (GRC)

a. Analytics

b. Fraud Prevention

c. Privacy Controls

Tags: , , , , , , , , , , , , , , ,
Posted in Access Management, Cloud Computing, Identity Management | 1 Comment »

The CA Identity Manager 12.5 Bulk Loader

Thursday, November 11th, 2010

Being a newbie to IDMWORKS, and not used to writing blog entries, I decided to gain inspiration by browsing some of the older posts to see what has been written thus far.  I noticed that there was a blog entry posted about Oracle Identity Manager (9.1.0.2), and the Bulk Load Utility that it includes.  I said “Hey! Computer Associates Identity Manager has that too!”.  So, needless to say, I decided to share a bit about the CA Identity Manager 12.5 Bulk Loader that is new to the CA Identity Manager product.

What is the CA Identity Manager Bulk Loader and what is it good for?

The Bulk Loader is used to make changes to a large number of objects simultaneously.  That is a lot easier than doing it one at a time.  At a, um,  previous employer; I was not only the Identity Manager Administrator (STAFF EDIT: as opposed to being the “Identity Manager“? *lol*), but I was also responsible for overseeing the group that did all of the user provisioning for the corporate systems.  Here was the situation:

  • The company had just tripled in size (by acquiring parts of another company)
  • We received an employee listing of the acquired company very late in the game (sound familiar?)
  • They decided that the accounts needed to be created over the weekend (are they kidding??)
  • I was a bass player in a rock band and had 2 gigs that weekend (Relevant? Yes!)

The overall setup is something that we’ve all seen at some point:

Very difficult task + short deadline + no time = Hair pulling time!

I was pleased to discover with our upgrade from version 8.1 to 12.5, that the Bulk Loader was included in the software.  In a very short amount of time I was able to create thousands of users just by using the spreadsheet of the employees that HR gave me (and I wasn’t late to my gigs!).

The bottom line is that sometimes the simplest things are easily overlooked, and I’m glad that I knew about the Bulk Loader feature.  Who knows, it might save you too someday!  In my next post, I will cover some of the issues that I ran into while using it, and what you can do to overcome them.

Tags: , , , , ,
Posted in CA, CA Identity Manager, Identity Management, Identity Provisioning, User IDs | No Comments »

State of the Union

Saturday, October 9th, 2010

Last week Oracle announced they had purchased Passlogix (best known for the V-GO ESSO application) and this got me thinking about the changes in the last 10 years in the Identity Industry.

A decade ago you had start-ups galore.  Business Layers (eProvisioning), Netegrity (SiteMinder), Access360, Thor (Xellerate), Waveset, Oblix, Trulogica, M-Tech and Courion, too name a few, almost all of which were acquired.

Business Layers got acquired by Netegrity who got subsequently acquired by CA.  Access360 got acquired by IBM as part of the Tivoli Identity Manager product.  Thor got acquired by Oracle, Waveset by Sun and subsequently Oracle, Oblix by Oracle as well (I am sensing a trend here by the way).  Trulogica got acquired by HP where it saw its demise.  M-Tech became Hitachi and Courion bucked the trend and stayed Courion.  Even the smaller space tools like Maxware got picked up by SAP.  In fact, up until the last few years, we have remained in the land of the Big Company Identity Stack.

So how did we get there?

Back in the day IDM was slowly being looked at as the next wave in Risk and security.  The issue at the time was that the products were very green and lacked the technical maturity to make implementation a worthwhile process.  Sure, the low hanging fruit of automagically creating an Active Directory or Netware account was a breeze but the implementation around single sign-on, strategic workflows and approval/escalation to a host of applications was not a smooth process.  In fact in the early 2000s the process involved prior to the technology was still being ironed out.  Many of the projects we worked on required a high level of customization and as a result the time to implement took in some cases years to complete.  During these multi-year engagements a good number of projects failed to get off the ground or changed scope so many times that in the end the effort was deemed a failure or not what is was originally sold as.

Eventually sanity won out and most organizations realized that Web Access Management, Provisioning and further more Federation and Role Management were separate sides of the Identity Management box.  Instead of one large “Big Bang” a step by step approach gained traction as a method to actual success.  Many of the larger organizations even split Access Management and Identity Management into strongly separate buckets with their own teams and infrastructure.  Gone are the days where Access Manager and Identity Manager are viewed as the same application.  Today the products are treated as interconnected but individual pieces complimenting each other even when they fall into the same stack.  This can be seen in the job reqs that many organizations release when looking for a technical resource.  5 years back recruiters were still looking for the Jack-of-All trades Engineer/Developer/Architect/PM that knew the SSO, Provisioning, Federation, Role Management and Password Management tools from the 4 different vendors (my personal favorite being when the recruiter would then say a “junior” resource for said position was OK as a method to justify the sub-par rate, as if such a “junior” person existed with that level of knowledge).

The big company buy-up of the old Venture Capital backed firms yielded a greater maturity in the market and a fierce rivalry in the market place.  In fact the biggest players are now Oracle, IBM, CA, Novell, and to a lesser extent BMC and a hard charging Microsoft.  What is interesting though is as of a few years back the next generation of VC based IAM start-ups popped up and we are seeing history repeat itself with the next wave of industry consolidation.

For instance, take a look at the Role Management and Identity Governance market place.

Bridgestream Roles and Vaau RBACx got scooped up by Oracle and Sun and subsequently Vaau won the application war as Oracle’s preferred Role application (under the unfortunately named Identity Analytics banner).

Aveksa and Sailpoint popped up to not only compete in the same space but to offer superior products to manage compliance with HIPAA, SarBox and the like moving beyond solely role management into the governance and compliance management space.

Eventually, as is the case in the IAM space one, one or both companies are likely to be acquired.  Where they will land is open to conjecture but like all Venture Capital based opportunities you are either a resounding success in the sales game or you are a cheap acquisition target.  I have my own guesses as to what comes next for both companies but alas that is a topic for another blog entry.

As for the announcement of Passlogix being acquired, Oracle has a strong set of tools in the space covering all facets of Identity and Access Management.  They are truly becoming the Walmart of the Identity World.

Tags: , , , , , , , , , , , ,
Posted in Access Management, Aveksa, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Password Management, RBAC, Role Management, SailPoint, Security & Risk, Sun Identity & Access Management, Vaau | 1 Comment »

Unique Identifiers and Why you shouldn’t let users select their own ID

Tuesday, July 20th, 2010

The Unique Identifier, AKA the Unique ID, the UID, the Enterprise Unique ID, the Primary ID, the Global Unique ID.

The UID is the key internal identifier, potentially used for authentication, authorization, group membership, and tracking (reporting, logging, auditing). It is recommended to have this ID be unfriendly so as to discourage its inappropriate use. This ID is centrally provided, perhaps through your Identity Management solution, and should be assigned to all current active users and future users. The UID should be non-revokable and non-reassignable; hence it needs a large enough capacity to sustain generations of UIDs . All other identifiers should be either directly or indirectly linked to the UID.

Now as to why you shouldn’t let users select their own ID:
1) The first mistake users make is using Private Data when creating their ID (such as):

  • First and last name
  • Address
  • Phone numbers
  • SSN
  • The names of parents, children and siblings

Many governance rules for applications specifically disallow Personal Identity Data and this most likely would need to be coded in your IdM application and you would not be able to prevent it in the case of someone using SSN when you are forbidden from asking for SSN in the first place and this is a really, really long run-on sentence :) .

2) Some users will use derogatory and/or inflammatory language in their name (which may cause an issue with your support staff/help desk).  I mean let’s face it, there are a lot of geniuses in the world who think Bizhatch is a cool user ID.

3) As a fix in your Identity Management process, might I suggest adding a forgotten user name Use Case into your requirements so as to avoid the issue of the user having an inaccessible ID as they can request the user name be sent to their registered email address.

4) If a user name is selected by a user, and the user name already exists, the new user will now “know” an existing user name in the system.
This presents an associated issue of “guess the password” in which someone selects a user name/password combination such as userID: Minnesota password: Twins.  While you should have password rules to help offset this, the above example might just work.

5) I would highly recommend NOT using email address as a login credential in the future as you cannot guarantee uniqueness and a family could all use the same ID (ex. RossinFamily@ThisIsNotUnique.com).  Additionally if someone uses an address they no longer have you have just added to the complication (“oh yeah, I registered with my Mickey D’s email address, too bad I got fired for embezzling, maybe I should have though ahead”).

6) Technologically why not:

  • You must code validation rules if rejecting special characters in the name (O’Rossin, R@isen, Van Rossin, etc.) and worse if allowing them (such as remove the ‘ from O’Rossin and make it ORossin, join Van Rossin into VanRossin, etc.).
  • If the user can select User ID, you will have to decide if it should be case sensitive (which I would hope not as the volume of help desk calls will sky rocket) as a user might pick a name they wish to be case-sensitive (ex. ToddRossinRulez)

All in all, this list, while not being complete by any stretch, should give you some ammo as to not allowing a user to select his/her own ID.

Tags: , , , , , , , ,
Posted in Best Practices, Identity Management, Identity Provisioning, Risk & Compliance, Security & Risk, User IDs | 2 Comments »

The Role of Identity Management in Public vs. Private Cloud Computing or How I stopped worrying and learned to love the Cloud: Part II

Friday, July 9th, 2010

Let’s recap shall we? That install of Firefox, IE, Safari, etc. is your method to cheaper, easier to use techno-services outsourced to a service provider (like Google) who take on the infrastructure, technology and heavy lifting so that you, the business, can reap the ROI. Risks, well, we covered that already, HERE.

So how about Identity Management?
We also defined Identity Management, HERE. We can take the 101 knowledge and apply it to the Cloud. So we build out our security into buckets including Access Management (Authentication, Authorization, Entitlements), Provisioning and lest we forget, GRC (Governance, Risk and Compliance). Mix in audit, logging and reporting and we have a recipe for success.

Access Management in the Cloud
For our Cloud solution to work we need strong authentication (making sure you are who you say you are), strong authorization (making sure you can access what you are allowed to access, write where you are allowed to write, read what you are allowed to read, etc.) and record what the user has been up to (audit, log, report).

Provisioning in the Cloud
The keys to the kingdom rely on creation of an actual account (provisioning) but almost importantly in making sure that that when you leave, by choice or not, that we take those keys away (de-provisioning).

Governance, Risk and Compliance in the Cloud (GRC)
Attestation of all accounts (clean up and dump the orphaned accounts folks) and a certification process to ensure it remains so must be implemented. We don’t want Walt of the just fired brigade to have access to the company payroll do we?

Private Cloud Identity Management – Lower Risk with Higher Cost
We defined Private Clouds, HERE. Basically you own it, you operate it, you control it, you firewall it and the associated cost savings are greatly reduced but the security is greatly improved. Private clouds can be built on your own or outsourced to a “private” cloud provider but the cost savings diminishes regardless (disadvantage). Your single sign-on, authentication, authorization, provisioning, role management, GRC, and audit & logging can sit behind the firewall in the private cloud. The odds of data loss and hacking go down considerably (advantage). The return on Investment will be long term at best (I say at best because the technology cycle may produce the “next best thing” before you have a chance to recoup the cost).

Public Cloud Identity Management – Higher Risk with Lower Cost
We defined Public Clouds, HERE. On the plus side, Public Clouds equal diminished costs. Diminished costs equals happy Business people concerned with ROI in business speak we mean Return On Investment, in Security speak we would have meant Risk of Incarceration ;) . The risk of deploying Identity Management services in the Cloud increase with the move into the public realm. Security in a shared environment is much more complex as well as the potential network complexity. The risk can be diminished in deploying Identity Management services within the Cloud as you should have access to defined best practices that have been utilized by past customer Cloud IdM implementations. As such the amount of bleeding edge risk will be reduced somewhat (this is where a company like IDMWorks can help you). Your contract with your public cloud provider had better insure that they manage and take responsibility for the risk associated with potentially exposing your company’s corporate, customer and/or user data (by accident of course, but no one wants to lose their job or get sued over such an occurrence).

The Benefits of Private vs. Public Cloud Identity and Access Management
Public Cloud:
Return on Investment (ROI) higher, much quicker
Higher Risk through lessened security and network complexity

Private Cloud:
Risk of Incarceration (ROI) lower, Return on Investment long term at best
Associated costs are similar to running the environment in-house, Cloud free

Conclusion: Use Identity and Access Management to cut the Endemic Risk of Cloud Computing
By outsourcing our infrastructure hardware, software and services you, the customer, must verify and co-manage the security your provider provides. This is where Identity and Access Management come in to play.

Tags: , , , , , , , ,
Posted in Cloud Computing | 4 Comments »

Gartner, I hardly knew you.

Wednesday, June 23rd, 2010

Your hero recently attended the 2010 Gartner Security & Risk Management Summit in National Harbor, MD (right near good ol’ DC). This is a two and a half day event starting Tuesday evening for a few hours with a 2 hour session Wednesday and a 1.5 hour session Thursday. I opted to skip the meet and greet geek out on Tuesday and went straight for the goods on Wednesday. I can sum up my expectations for the event with the following word, “stoked”. Unfortunately I can also sum up my realization of the event post arrival with the following word, “disappointed”.

Two things were missing from the summit. The first were the vendors. There were a number of vendors on display with @70% using the flavor of the month tag line, Cloud. Apparently the Cloud will deliver everything you have ever wished for from a Security and Risk point of view while curing your arthritis and cooking you a nice Chicken Pot Pie. I am pretty sure McDonald’s is well on it’s way to changing their tag line to “I’m loving Cloud”. But I digress. The number of vendors was surprisingly poor with not a lot in the way of big name players. Sure Google and Oracle were there but where were the monster booths packed with the goodies and rent-a-babe hostesses? Apparently, from an insider I spoke with, the big name companies have cut back dramatically on their marketing dollars for these events and quite frankly it showed. Also the overall bevy of companies has declined. The event was heavy on niche and really only gave me an opportunity to say hello to friends and competitors alike. By my estimate maybe 40% of the available space was used for the show.

The second missing piece of the puzzle was the attendees. We were comped for this event and now I know why. There were very few attendees. I couldn’t believe the emptiness at booths. It was like Disney in the first week of January. No lines, no waiting. While it was easy to see and speak with just about anyone I cared to about product, services and the almighty Cloud, it left me wondering what is really being gained. For certain the event produced very few sustainable leads.

So in conclusion I don’t see an IDMWorks booth at the next Garter event in the future but keep a look out for your hero behind the counter at Mickey D’s asking if you want fries with that order.

Tags: , , , , , ,
Posted in Cloud Computing, Security & Risk | 1 Comment »

That’ll learn ya: Identity and Access Management 101

Friday, June 18th, 2010

Why the 411 on the 101 you ask?  As a number of smaller IT shops at customer sites come up to speed the need for a primer gets requested often (along with best practices).  As a service to our fellow man (and woman) feel free to take a gander if you are researching what exactly IAM is.  Oh, and then sign up for Twitter and follow our Tweets (letting you know when we post another blog entry).

Identity Administration and Provisioning
Identity Administration and Provisioning services provide a set of processes and an underlying infrastructure to support the creation and maintenance of identity—including attributes, credentials, and entitlements and the secure facilitation of access to IT assets for various user populations from different channels, including intranet, extranet, Internet, mobile devices, etc. It is critical to the health of the overall IAM infrastructure that the identity and entitlements information held in authoritative identity repositories be accurate and of high quality. Identity and policy administration services include centralized, delegated, and self-service administration, as well as workflow approval. These services also include the ability to programmatically update identity information from existing authoritative sources of data or to make arrangements to obtain just-in-time identity assertions from a third party.

The following describes sub-capabilities of an Identity Administration and Provisioning Service:

  1. Delegated Administration - Provides a mechanism for administrators to push privileged activities to managers and end users securely through tailored interfaces and work-flows.
  2. Self Registration and Self-Service - Provides an interface for users to manage credentials and profile information and to request access to IT assets; anonymous users may also register through this interface.
  3. User & Group Management - Provides administrative tools and services that Information Security professionals utilize to administer user identity and group entries throughout the enterprise, including privileged and application / service accounts.
  4. Identity Registration and Proofing - Provides on-boarding and verification of new users; identity proofing may prescribe call-outs to external services such as credit agencies, utilities, and government agencies to provide a level of assurance that the subject matches a valid person.
  5. Identity Storage and Publication - Provides repositories for identity / account data; typically includes services to routinely scan IT systems for discrepancies in expected and discovered accounts and fires configurable processes which can notify application and business owners, disable / delete unknown accounts, create missing accounts, revert or reapply authorizations, etc.
  6. Rules & Access Policies - Provides for the application of business logic and policy in how and which assets are provisioned and how data is processed and transformed as it flows through the identity system.
  7. Connector Framework - An extensible package of adapters that leverage standard and vendor proprietary APIs to manage various account repositories and provide a generic interface to a provisioning system for managing account identifiers, profile attributes, credentials, and authorization information, such as group memberships; some connectors provide the capability to directly manage generic data objects such as physical assets in LDAP stores.
  8. Identity Attribute Mapping - Provides meta-directory capability of mapping account attribute names to the same identity attribute, e.g. such as last name to “sn” and “surname”.
  9. Approval Workflow - Provides multi-step approval flows to automate request processes that require review and sign-off from authorized parties, such as managers, data owners, system owners, information security, etc., facilitating delegation to end users while still enforcing security policy controls.
  10. Provisioning Workflow - Provides multi-step account provisioning to accommodate dependencies between accounts and to increase reliability, e.g. supporting creation of accounts in a specific order, performing retries / rollback in case of failure, sending notification of down systems, etc.

Authentication Management
Authentication management represents the process through which a subject provides valid credentials to satisfy the access requirements of the application, service or system to which the subject is trying to access. Reduced sign-on technologies centralize or seek to rationalize these authentication mechanisms in such a manner that multiple applications, services, and systems may rely on a central store for authentication or provides for synchronization of the subjects credentials so as to limit the number of credentials per user and improve the end-user experience.

The following describes sub-capabilities of an Authentication Management service:

  1. Authentication Protocols - Standards which prescribe how to present an authenticated subject; includes Kerberos, SAML / Liberty, WS-*, LDAP and application-specific standards, such as Windows NTLM.
  2. Verification and Validation - Mechanisms to verify a subject’s credentials and provide a level of assurance as to the validity of the credential; also concerned with authentication policies and password policies.
  3. Credential Lifecycle Management - Concerned with creation of credentials and the management of the credential lifecycle.

Authorization Management
Traditionally, IT systems and applications each have their own implementation for authorization management or, more precisely, Access Control. This means that a user has an account for each system/application he or she uses and each system/application has its own permission structure and method of permission assignment.

The following sub-capabilities comprise an Authorization Management service:

  1. Resource Identification and Management - Provides for centralized inventorying, labeling, and general management of IT assets.
  2. Role-Based Authorization - Provides for modeling of access to IT assets based on information about the user, e.g. department, job function, location, etc., to automate access provisioning and validate the appropriateness of entitlements that are granted.
  3. Rule-based Authorization - Provides a service for consolidating security decisions traditionally hard-coded in disparate applications into an external, centrally-managed and audited repository, allowing applications to focus on business logic and outsource authorization management in a repeatable, consistent way.
  4. User Mapping - Supports assignment of users to entitlements or sets of entitlements, e.g. roles.
  5. Periodic Authorization Review - Processing of periodically reviewing access granted to users by managers and application owners as part of a GRC program.

Access Management
Access Management is the security enforcement component of an Identity and Access Management (IAM) infrastructure. The access management component enforces access control against predefined security policies established to govern access to network resources. These resources are typically Web-based applications (also known as web single-sign on or SSO). The categories of Identity Administration and Provisioning, Authentication Management, and Authorization Management all directly impact Access Management.

The following sub-capabilities comprise an Access Management service:

  1. Web Access Management Protects access to web accessible services available within the enterprise through centrally defined authentication and authorization policies through the use of policy decision points (PDPs) and distributed or proxy-based policy enforcement points (PEPs); provides session management and domain single sign on (SSO) for web applications.
  2. Enterprise SSO Minimizes the number of times a user must authenticate to disparate applications by maintaining a secured store of credentials for each application that are submitted transparently upon access an application.
  3. Identity Federation Enables sharing of IT assets across domains, e.g. between partners, where claims- or federation-aware applications hosted by a service provider or relying party are made available to users managed and authenticated by a trusted identity provider or asserting party; as users request access to the service provider’s applications, a token is provided to the service provider which allows the service provider to obtain claims from the identity provider about the user upon which authorization decisions can be made.

Data Management
Data Management as it pertains to Identity and Access Managements pertains to the use of directory stores for storing and making identity information available to the enterprise.

Data Management in the context of IAM is comprised of the following sub-capabilities:

  1. LDAP Directory - Provides a source of identity accessible through a standard protocol, LDAP; also provides a repository for authentication credentials and authorization data such as group memberships.
  2. White Pages  - Provides a single, public resource for searching and viewing profile information on enterprise users.
  3. Virtual Directory - Provides a mechanism for abstracting multiple identity repositories to look like a single LDAP-compliance repository, which is particularly useful in environments where multiple sources of identity exist for different user constituencies and a WAM and/or federation solution backed by such a repository is desired.
  4. Data Synchronization - Provides automated, high-throughput services to move data between directories while applying attribute mappings and transformation rules.
  5. Policy Store - Provides a repository for rules and policy definitions, typically required by access management services.

Supporting Technology Capabilities

  1. System Information and Event Management (SIEM) - Provides a secure, centralized store of event logs across multiple systems with a single, consistent front end; can generate immediate alerts and notifications of significant events across systems for ensuring proactive compliance and, because logs are archived, is invaluable for forensic analysis; provides dashboards and other reporting tools.
  2. Business Rule Definition - The creation and management of business rules for workflows, content delivery, etc. to deliver the appropriate content to the appropriate person via the appropriate channel

Tags: , , , , , , ,
Posted in Access Management, Identity Management | 1 Comment »

Identity Theft of an Identity Manager

Tuesday, May 25th, 2010

A few years back I found myself in a strange situation. I was still an independent consultant in the IDM space. Therefore, my resume was very accessible at the top of the searches in Yahoo and Google. As part of my job, I’d often get requests from clients to review resumes of prospective employees and consultants in the IDM space. Amazingly, twice in a single month, I had been given my own resume to review with someone else’s name at the top. In both cases the job duties and descriptions, even the project names, matched exactly my work from about 4 years prior when my niche work began to it’s present day. Also, the plagiarized sections were typed in a different font than the rest of the resume, which leads me to the conclusion that the thieves (if we can call them that) simply cut and pasted their resumes from mine and, most likely, from other unknown sources.

When I received the first resume from a client in Maryland, I immediately contacted my customer, explained the situation, and asked them how they wanted me to handle this dilemma. My client asked me to proceed almost as planned. They wisely wanted me to speak to the candidate with the intention of getting the truth or some sort of admission of plagiarism from the “author” of the resume at hand.

Nervously, I contacted the candidate, we will call him Walt. My questioning focused specifically on the work experience that Walt and I seemed to share. He was unable to speak intelligently about any of the work that he had allegedly done. So, finally, I blatantly asked him if he wrote the resume. When confronted, he eventually said that he “might” have taken a bit “from here or there.” I then led him to my posted resume on the Web which included the phone number I was calling him from. What followed was stunned silence. Walt then apologized profusely and swore “on the life of his child” that he would delete the portions of his resume in question.

In the end Walt was denied a position and Walt’s representatives, the staffing company, were forbidden from submitting additional candidates to the customer as they were expected to properly vet candidates.

Two weeks later, I received the second resume from a different client in Minnesota. The second case I intended to handle in the same manner as I had the first. The only real difference between the candidates, we will call him Ravi, was that this one happened to be from overseas. When I talked to this candidate, he and I realized that, although it was his resume I was given, it was not the one he had authored. As it turns out, the overseas technology company representing him did a common practice of swiping someone else’s credentials to try and sell their consultant. I felt bad for this guy because he was unaware of what had happened and because it cost him potential employment.

A fellow IDM peer, Adam, has had a similar tale to tell. An IDM themed IT company has been using his resume as a method to show customers and even potential hires the type of seasoned staff they employ. One issue, the resume is Adam’s and Adam does not work for said company. In fact he had an acrimonious parting with said company over the company’s shady tactics to begin with.
What I find amusing is that for those who work in the Identity Management space we all know there are some constants. Those constants are as follows:

  1. The owners of the products may have changed from the Business Layers, Access360s, Thors, Wavesets, Oblix, etc. to Oracle, IBM, CA, etc. but the players have not. IAM is still a small world and as such you WILL see your peers out in the market.
  2. The recruiters for the most part are unknowledgeable and in some cases will beg, borrow and steal to make the sale. Don’t believe me? How many of you have been called by a recruiter asking you to be their “Identity Manager” and then spent the time explaining that Identity Manager is an application not a role?
  3. Small IT companies will bill themselves as the expert in a given field with 3 people actually working for the company and all “staff” as contingent contractors. Re-read Adam’s plight above for the example.

Now comes the best part. In my list of constants I skipped over the example or proof of the first one, you WILL see your peers out in the market. Case in point, our friend Walt, you remember him don’t you? IDMWorks scored a nice project with a respectable company in the health arena. Your hero was working on the project for about 2 weeks when he bumps into Walt doing IDM work at said client. For reference I’d like to point out that 3 years had past since the damning of Walt’s kids in the name of amending the prior situation. Walt didn’t recognize me but you can be sure I recognized him. I immediately went to the manager of the department and let him know my story. Coincidentally the manager had a copy of Walt’s resume. Unfortunately for Walt’s children he was still using mine. Some people never learn. I made sure to take Walt out to coffee before any action by the customer was taken. I reminded Walt of who I was and how in the field of Identity Management it would seem paramount not to resort to Identity Theft. I asked Walt if he was still using my resume. He answered, “No”. I let him in on my little secret that I had actually seen his presented resume to the customer. Never-the-less we left it with a heartfelt apology and yet another promise that Walt would change the resume to his own. As karma was realigning itself Walt was let go, never to be re-hired at the customer ever again.

So in the end there isn’t much you can do about people plagiarizing your resume, except to hope that companies do their due diligence and fact-check their candidates or to hide your identity from the world at large. Hopefully it won’t compromise future opportunities when your resume comes into question because someone else has seen it before.

PS:  Speaking of Resume Stealing Scumbags:  http://www.peningo.com/index.html

These guys have a list of  “sample resumes” on their site.  Coincidentally, I found mine.  Never heard of them before.  Be careful.

Tags: , , , , ,
Posted in Identity Theft | 2 Comments »

Identity Management Cloud Computing or: How I stopped worrying and learned to love the Cloud: Part I

Wednesday, May 5th, 2010

PART 1:
I think I see a cloud ahead. How about you? If you’ve been reading the IT blogosphere, CNET or pretty much any IT related news site or magazine these days the go to buzz word is “cloud”. Similar to how companies are going “green” they now all seem to want to go “cloud”. The question we as a company seem to be getting often is how to do IDM in the cloud. This has quite a few advantages and risks at the same time to consider.

The cloud can be private (hosted within an organization’s firewall) or public (hosted on the Internet) or a hybrid thereof. So let’s delve into the clouds shall we?

The Public Cloud

First, let’s talk about exactly what a cloud is and what is the immediate advantage. The cloud is the internet. In other words it is the growth of interconnected networks online that offer you a more reliable, easy to use, high speed, huge capacity and larger storage set of resources all at fraction of the cost. Sounds pretty cool, no? My guess is you already use some of these cloud resources. Yahoo Mail? McAfee Antivirus? Go Daddy? Google Docs? It is much easier to simple sign up for these services than it is host your email, web server or buy a $150 copy of Microsoft Word and install it. The work is done for you and you never have to worry about your router going down. Now a days a third party will do it for you, and do it for cheap. They deal in bulk so the cost to you becomes negligible. It has also changed the paradigm for many of us. We no longer need to be “techies”, IT administrators, engineers or even developers in many cases. We just need to be all mighty consumers.

Now let’s digest this and talk about the disadvantages and risks associated with cloud computing. The services we discussed prior, Yahoo Mail, McAfee, Go Daddy and Google Docs all have terms of service. These terms basic lock you down to whatever rules the hosting company dictates. Take a look at the service statements online that you, um, read before you checked the “I Accept” box. Take Yahoo for example (and Google Mail, MS Live Mail, etc.). Their Terms of Service state they have the right to screen your email and give out your ID and password. They also state they can save your data on their servers out of country (and of course the myriad of copies of said data that implies). They can delete messages as they see fit for any reason (age, size, etc.) or without reason. They can also eliminate your account at any time and you waive any and all liability. Last, but certainly not least, Yahoo reserves the right to use your emails to generate advertising that is more specific to you and your interests.

But wait! There’s more! Let’s talk Go Daddy next. Or better yet Web Hosting companies in general. Have you ever used a hosting service that got bought, changed their business model or simply went out of business? Were you able to easily get your data back? You might have but not everyone has been so lucky. When a company goes bankrupt or the federal agents bust in with a warrant to take the servers you might find yourself on the poop end of stick.

Even those internet driven and updated Anti-Virus tools can get into the mix. McAfee, in April 2010, fired out a routine security update that took out tens of thousands of PCs and servers. Coles, an Australian supermarket chain, said 1,100 checkout terminals crashed because of the McAfee update, so it temporarily closed several stores in that country. An Intel spokesman in California acknowledged the problem at its headquarters was “significant.” Kentucky State Police lost use of their entire IT infrastructure, and hospitals in Rhode Island postponed elective surgeries. Anyone want to guess what the terms of service state about that little “flaw”?

I don’t want to leave out poor old Google though. What happens when your storage of documentation just so happens to get broken into? Think Google security will take of it? Well on April 20th, 2010 Goggle released some of the previously closely guarded secrets about the big hack they took from China. This, folks, is where we delve into what you came here to see, namely how exactly does Identity and Access Management fit into this whole equation? You see, in December 2009, Google’s password system that controls multiple accesses to almost all of its web services was hacked through a harmless message sent to a Google employee in China. The theft began with a message sent to a Google employee in China who was using MS Messenger. By clicking on a link and connecting to a “poisoned” website, the employee inadvertently permitted the intruders to gain access to his computer and then to the computers of a critical group of software developers at Google’s headquarters in California. The program, code named “Gaia” intended to enable multiple access to users and employees, who can sign in with their password just once to operate a range of services was attacked. Yes, Google’s Single Sign-On system opened the door to a hacker having access to pretty much everything they wanted. Cloud computing at its worst I am afraid.

Plain and simple, with a public cloud, the responsibility for application security, identity management and data protection is solely within the purview of the cloud provider. As a result you had better expect your provider to be transparent and the security second to none. Feeling the warm and fuzzies yet?

The Private Cloud

Companies always have the ability to create a private cloud in which they own the system as they have bought it, built it, installed it and manage it. Sounds more secure but it sort of defeats the purpose of cloud computing which primarily is low cost. There is a joint approach or “community” model that suggests sharing a private cloud with another organization. While this might work well for the government or a public sector group I doubt Wal-Mart and Target will be sharing a community cloud anytime soon.

COMING SOON IN PART II

Identity Management in the Cloud and associated advantages vs. issues

• Strong user authentication, Web Single Sign On, and Identity Federation for access control needs
• User provisioning, role management, and identity attestation for user life cycle management
• LDAP directory and virtual directory for identity repositories
• Database security and OS security for locking down access to critical operating environments

Tags: , , , , , , ,
Posted in Cloud Computing | 5 Comments »

« Older Entries
Newer Entries »