Posts Tagged ‘Todd’

« Older Entries
Newer Entries »

Happy 100th Blog Posting! IDMWorks Style…

Friday, April 1st, 2011

In celebration of IDMWorks 100th blog posting we thought we’d do a little shout out to ourselves.

We help clients solve complex business issues with custom solutions, more efficient processes and deep industry knowledge. Our consultants gather, analyze, assess and use information from across the enterprise to create value in our customer’s organization.

Speaking of customers, we have deployed IAM and Data Center solutions for quite a few organizations across the following industries:

  • Financial and Banking
  • Higher Education
  • Public Utilities
  • Federal, State and Local Government
  • Healthcare and the Insurance Industry
  • Commercial and Retail

As a result we have not only the technical know how but the knowledge of applicable regulations beyond simply Sarbanes-Oxley and HIPAA.

So feel free to reach out to our staff at IDMWorks and get to know peace of mind.

 

Tags: , , , , , ,
Posted in IDMWorks | No Comments »

RSA fall down, go boom…

Thursday, March 24th, 2011

Apparently RSA got hacked.

The cyber-thieves may have snagged sufficient information to crack the RSA Token security.

Per RSA Executive Chairman Art Coviello:
“Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

Holy schnikies!

Per the Washington Post:
Forty million SecurID tokens are in use in more than 30,000 companies and government agencies worldwide.”

Something tells me between the coming lawsuits, potential class action lawsuits, costs to replace and mass RSA outrage and firings it is about to get really, really ugly.

Might I recommend, from News.com:
What the RSA Breach Means For You (FAQ)

Thoughts?

Tags: , , , , ,
Posted in RSA SecurID, Security & Risk | 1 Comment »

Why use Identity Management Standards?

Monday, February 21st, 2011

Why would an enterprise want to have standards support across all of their systems?

A typical enterprise has software and technology from more than just one vendor. They have technology from Oracle, Microsoft, IBM, SAP, etc.

They need their identity management systems to support standards and integrate well with all of the 3rd party systems they have in the typical enterprise. Thus, when selecting a vendor’s Identity Management software you should ensure it has been designed to work seamlessly using standards and when standards are not there it works in an integrated fashion with other enterprise applications.

There are many open standards for Identity and Access Management defined that can be implemented such as SPML for provisoning, SAML for federation, XACML for externalized authorization, Infocards, OpenID/Oauth for user-centric identity and IGF for identity governance.

Looking to produce an RFP for vendor selection? Give IDMWorks a shout.

Tags: , , , , , , , , , ,
Posted in Best Practices, Identity Management, Roadmap | No Comments »

Private Cloud Identity Management Considerations

Sunday, February 20th, 2011

The most natural evolution for many enterprises in their migration from traditional enterprise IT to a cloud model is the Private Cloud. One of the significant advantages of a private cloud model is the level of control and the level of security that if can offer IT organizations over their own cloud infrastructure.  Traditional Enterprise IdM relies on tight integration and heavy customization. The cloud’s model of sharing resources makes tight coupling a non starter.

The cloud model instead needs an identity management infrastructure with the following characteristics:

  1. Service Oriented – so that applications can take advantage of reusable shared components supported by your IT organization using SaaS (Software as a Service)
  2. Standard Oriented – so that your services can work seamlessly with other applications on premise and off premise (SAML, SPML, XACML, OpenID, etc.).
  3. Loosely Coupled – so that you can build and deploy services by leveraging existing ones using PaaS (Platform as a Service).
  4. Interoperable – work seamlessly with your traditional infrastructure without introducing any deployment risks using IaaS (Infrastructure as a Service).

In a private cloud, your IT has to worry about sustaining compliance and keeping compliance costs down. In a public cloud on other hand, service providers have a significantly higher bar when it comes to compliance.  Audit standards like SAS 70 are applicable to public cloud service providers.  Sustainable compliance demands automation. So technologies like Identity and Access Governance are necessary to meet complex demands of compliance such as attestation and access governance.

Self Service is also critical in private cloud scenarios. Self service can keep administrative overhead costs down. Delegated Administration is also necessary in private clouds so that central IT can delegate control of identity management for departments to departmental owners. Technologies like Identity Administration can help with self service provisioning, password reset and in enforcing delegated administration.

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , ,
Posted in Cloud Computing, Identity Management, Infrastructure as a Service (IaaS), Oracle Platform Security Services (OPSS), Platform as a Service (PaaS), Software as a Service (SaaS) | 1 Comment »

Federated Identity in the Cloud using Attribute Based Access Control (ABAC)

Sunday, February 20th, 2011

In the Cloud context, sometimes it is not necessary to have user accounts in both the Identity Provider and the Service Provider. The requesting Identity Provider can categorize users based on groups, roles and other attribute information.

Let’s scope this out shall we?

A user has a Purchasing Manager role in the Domain A, which is translated to a role of Customer in the Domain B.  In attribute federation, the receiving Identity Provider must be able to read this attribute information from the response sent by the first Identity Provider. This attribute information should then be mapped to authorization information in the receiving end. The attributes that are delivered have a corresponding role or other type of authoritative information in the receiving Identity Provider and this information can create the access control decision.

This is a simple use-case that I hope better defines where and why we used an Attribute Based Access Control (ABAC) method to federate in addition to Role Based Access Control (RBAC).

Questions, comments concerns?  Ask away at IDMWorks.

Tags: , , , , , , , , , ,
Posted in Attribute Based Access Control (ABAC), Cloud Computing, Identity Federation | No Comments »

Externalizing Authorization from Applications using Oracle Entitlements Server

Sunday, February 20th, 2011

Organizations can build better security with added IT agility for private clouds by externalizing authorization from applications using Oracle Entitlements Server.

Typically in a private cloud scenario you might have a data center with a hardware grid hosting a middleware platform so let’s take the next step:

  1. You have the departmental application owners building their own custom applications using the set of shared services available through the framework.  Application developers can then use Oracle’s Platform Security Services as the single security framework for both Oracle and third-party environments, externalizing Authorization  Controls from Application into XACML policies, decreasing application development, administration, and maintenance costs.
  2. The application is deployed to the runtime environment
  3. Enterprise IT defines policies and services.  So you have a centralized infrastructure to enforce your security policies throughout the organization.  With Oracle Entitlements Server, IT then centralizes enforcement of consistent policies throughout the infrastructure
  4. Once the application is deployed end users can access the applications.  The application, in conjunction with Oracle Entitlements Server security modules, enforce fine-grained security policies in the app (so you can restrict access to sensitive application functions by user entitlements)

If security mandates evolve or policies changes the application doesn’t need to be recoded.  The new policies can be enforced across all applications using the OES infrastructure.

Questions, comments concerns?  Ask away at IDMWorks.

Tags: , , , , , , , , , , , ,
Posted in Attribute Based Access Control (ABAC), Cloud Computing, Oracle Entitlements Server (OES), Oracle Platform Security Services (OPSS), XACML | No Comments »

Cloud Layering through IaaS, PaaS & SaaS

Friday, February 18th, 2011

We have beaten the Public vs. Private Cloud advantages subject to death here on this blog.

So today’s subject will be an explanation of the various layers of Cloud offerings available.

A cloud-based offering can be provided at different levels and with different service models.

1) Infrastructure as a Service (IaaS) – A very basic, low-level infrastructure of servers with operating systems can be provided; Amazon EC2 is probably the most widely known example.

2) Platform as a Service (PaaS) - Offering more structure and composable components gives us “Platform as a Service” such as the Google App Engine or Salesforce’s Force.com.

3) Software as a Service (SaaS) – The highest level offering is a full application, “Software as a Service” such as Oracle’s “On Demand” offerings or Salesforce.com.

But be warned, the higher a level the cloud offering, the less the “customer” of the cloud has to do or build, but the more constrained he is. It’s a trade-off between effort and flexibility.

Furthermore, as you move from IaaS, to PaaS and finally SaaS, you get fewer controls and less visibility into what the service provide offers. Many Service Providers may not implement standards which can make interoperability and integration challenging.

Questions? Feel free to reach out to us at IDMWorks here.

Tags: , , , , , , , , , , ,
Posted in Cloud Computing, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Service Models, Software as a Service (SaaS) | No Comments »

Identity Management & the Art of Removing Cloud Security Obstacles

Thursday, February 17th, 2011

First the fun, why Cloud?  Well, we seem to define this a lot here at IDMWorks.

The quick and dirty:

1. Pay As You Go Approach to IT
There is no upfront cost and this helps keep the cost down for the service consumers. Cloud computing is a pay-as-you-go approach, in which a low initial investment is required to get started, and additional investment is incurred as system usage increases.

2. Highly Available Infrastructure
Many cloud providers sell their service as highly available. This gives Cloud services the aura of a utility which is an always on and that can be leveraged anytime and from anywhere.

3.  Strong Time to Value Ratio
With Cloud computing organizations realize benefits more rapidly than with the traditional packaged software use model. In the traditional IT model, a large investment is made early in the project prior to system build out, and well before tangible business benefits are realized. This model has several risks associated with it since a large percentage of IT projects are cancelled due to poor ROI or user acceptance. Cloud provides IT a way to outsource non critical functions to an organization better equipped to run those services.

4. Flexible Computing Model
Cloud computing offers much more flexibility than traditional computing models. Your Employees can access information wherever they are rather than having to be restrained to their desktop.

5. It’s Simple
One of the advantages of cloud computing is that businesses of all sizes can instantly obtain the benefits of the enormous infrastructure without having to implement and administer it directly.

Enough of the pitch, now on to Identity Management in the Cloud

Cloud Identity Challenges:

1. User Lifecycle Management:
New Cloud applications bring new complications of management, more costs and administrative hassles. You may have invested hundreds of thousands or even millions in enterprise provisioning software only to find out that it does nothing to address your identities in the Cloud. There could be windows of time where your terminated contractors may not have been de-provisioned from critical applications.   As such, organizations will quickly find out they need a centralized infrastructure to manage user identity information effectively.  Further, explosive growth in the use of web applications increases the complexity and administrative overhead of which users should be entitled to access across applications. So it is critical in the cloud framework to be able to facilitate self-service registration whenever possible. This can lead to better agility, reduced help desk costs and higher convenience for end users.

2. Compliance:
As more services and applications are being provided by 3rd parties, organizations have new compliance issues to worry about. The more sensitive data we have via these 3rd party applications the more we need to be able to enforce the types of controls that allow us to be compliant.

3. Federated Authentication:
The ability to collaborate seamlessly with your partners, vendors, and customers. An organization may already have all of its internal user identities stored in Active Directory and its external users such as partners and vendors in an LDAP directory and the organization may want all of their users to leverage an external cloud application without replicating all of that identity information in a third party product. Many organizations also want the convenience of having their users sign on once to access not only internal applications but also SaaS applications in the cloud.

Cloud Identity Solutions:

1. User Lifecycle Management:
Identity Administration helps solve the user lifecycle management challenge and many other common issues such as self service registration and compliance reporting.  Automation of provisioning and de-provisioning of users and administering user identities for both on premise and cloud applications will bridge the security gap regardless of the size of the network.  The addition of Role Based Access Control (RBAC) allows for when a user changes a role they are automatically de-provisioned from systems no longer needed and added to new ones relevant to their new role.  Additionally, automated Identity Administration allows us to identify and remediate orphaned accounts (those accounts with long gone owners).

Throw in user self-service access requests and self-service password reset capabilities and the User Lifecycle Process can be fully automated across the Cloud.

Need this to be standards driven?  Let’s implement SPML connectors.

2.  Compliance:
Simply put, utilize Identity Management tools to log and report Who has access to What, When, Why, and How and fulfill those pesky regulatory requirements, such as Sarbanes-Oxley, 21 CFR Part 11, Gramm-Leach-Bliley, HIPAA, and HSPD-12.

3.  Federated Authentication:
Need to collaborate seamlessly and yet securely across complex heterogeneous environments?  Make sure your Single Sign-On solution can support SAML, Windows CardSpace, WS-Fed and/or OpenID.

In summation, contact IDMWorks and let us help you plan your Cloud based Identity & Access Management (IAM) security solutions around the core tenets:

1. Identity Management

a. Roles based User Provisioning

b. Self-Service Request &  Approval

c. Password Management

2. Access Management

a. Authentication & Fraud Prevention

b. Single Sign-On & Federation

c. Authorization & Entitlements

d. Web Services Security

e. Information Rights Management

3. Governance, Risk and Compliance (GRC)

a. Analytics

b. Fraud Prevention

c. Privacy Controls

Tags: , , , , , , , , , , , , , , ,
Posted in Access Management, Cloud Computing, Identity Management | 1 Comment »

Hacking on a $1.50 a Day! WPA-PSK cracked via Cloud Technologies, rut roh raggy!

Friday, January 7th, 2011

A rather ingenious method was established in which a security consultant used the amazing Amazon Cloud to hack into a WPA-PSK (WiFi Protected Access-Pre-shared Key) encryption protected Wi-Fi network through brute force in 6 minutes at $.28 a minute.  Incredible!  The Amazon Cloud powered a 400,000 password a second brute force attack laying waste to the supposedly unbreakable WPA standard.

Pulled from Reuters here.

Tags: , , , , , , ,
Posted in Cloud Computing, WiFi | No Comments »

PasswordBank ESSO, Private Cloud and IDaaS

Tuesday, December 21st, 2010

I wanted to point out a neat Enterprise Single Sign-On (ESSO) tool (and a few other offerings) we’ve seen from PasswordBank.  For those with a Passlogix (now Oracle) v-GO ESSO implementation that don’t want to go the Oracle route I might recommend checking out the PasswordBank Enterprise Single Sign-on solution.  I have seen the Passlogix tool in action quite a bit over the years and have implemented the Citrix Password Manager for XenApp SSO to do the same and had interesting results with both.  To bottom line this, ESSO is one of the easier Identity and Access Management streams to implement cleanly and efficiently.  Now that Oracle has snatched up Passlogix to complete its IdM Empire I have had quite a few inquiries as to competing products.  While I can respect the juggernaut that is Oracle (as I am a fan of many of their products) I can also understand and empathize when a customer doesn’t wish to continue down the Larry Ellison expressway for all of its needs.  It is similar to me spreading out my technophile leanings to include a MS OS on my HP laptop, an Apple IPad, a Verizon MiFI and a Blackberry smart phone using ATT.  I do this partly because I don’t believe in putting all of my eggs in software basket and another to broaden my technological fingerprint.  So when I get that from clients looking to diversify their IDM stack to include both varied vendors and best of breed I start to take an inventory of the players, landscape and potential.

Now back to the ESSO discussion.  Without going overboard here I recommend taking a look at the PasswordBank product.  They have a range of applications but in this I want to talk ESSO.  The PasswordBank ESSO solution can be deployed on Windows, Linux and Mac Desktop Operating Systems which covers pretty much the gamut these days.  This is the biggest differentiator I see from PasswordBank as I am hard pressed to find a vendor with both Linux and Mac OS ESSO in one handy little package.  As would be expected the PasswordBank application has SSPR (Self Service Password Reset) a standard for ESSO.  Interestingly enough the PasswordBank folks also have a Private Cloud service that hooks into the ESSO solution and feeds into the Identity as a Service (IDaaS) model.

I have scheduled a demo with the PasswordBank team and will report back with my finding shortly.  Until then let us know if you have had experience with the PasswordBank application by sounding off below and look for a thorough review from the IDMWorks team in the near future.  Also, feel free to reach out and contact us if you want a in-depth report we will generate once we complete our review.

Tags: , , , , , , , , , ,
Posted in Cloud Computing, Enterprise Single Sign On (ESSO), Identity as a Service (IDaaS), PasswordBank | 2 Comments »

« Older Entries
Newer Entries »