The Identity & Access Management Blog

Thursday, February 16, 2012

A Smart Choice in Identity Management: CA IDM

Lately there has been a large influx of newly minted Identity Management products, and deciphering the overall grade of a product is undoubtedly a heavy undertaking. Simply put, it’s hard to weed the good from the bad. After wading through the different IDM solutions out there, one that stood out was CA. CA’s Identity Management Suite makes things faster, easier, and less error prone than having your IT department do it by hand. In fact, Gartner has consistently positioned CA in the exclusive “Leaders” quadrant for a variety of ranking. With CA you’re working with a trusted name in the industry.

CA Identity Management provides a lot more than just the common Identity Management solution. With this, user provisioning and removal, as well as any approval processes the user may need throughout his life-cycle, is automated. This allows for less human error by the IT department, preventing accidental access to services the user simply should not have. Workflows can schedule these events, and are completely customizable, allowing you to customize organization approvals and alerts. CA Identity management also supports customization on connectors without having to completely write, manage, and support custom code created by a technical consultant.

The CA Identity Management Suite also provides a core for the control of all users, roles, and policies you need for multiple identity services. You can collect and synchronize all users’ attributes, roles, and identity tasks to one hub, allowing for ease of access across your entire company. After aggregating all user data, users can login and update their personal information (i.e. street address, last name, postal address, password reset) on their own, freeing up your IT department for allocation on other pressing matters. They can also request access to certain privileges via the process of workflows, which can be approved by senior members of your team.

CA Identity Management also supports cloud applications in addition to the on-premises apps other identity management suites proudly boast. Connecting to cloud applications via CA Identity Management allows for your business to manage everything from a single point of access. CA Identity management has out-of-the-box connectors to interface with applications such as SAP, Active Directory, and Salesforce.com.

After reviewing the facts, CA Identity Management appears to be a sublime IDM solution. With cloud application support, automated user management, and user self-servicing, CA Identity Manager provides your company with everything you need to create a more optimized, efficient, and resource saving solution for all your businesses compliance and identity management needs.

Action Identity specializes in business solutions involving technologies such as Identity and Access Management solutions. We are more than a technology company. We provide our customers with the strategic thinking, architectural vision, investment control, and practical solutions that save money, return value to the lines of business, and holistically implement solutions to preserve operations typically impacted by change and modernization. To learn more about us, visit our website. If you’d like to speak with us directly, please click here.

The Importance of Aggregating Data

What do you do when integrating Identity Management with your enterprise and your company’s applications, and there are applications or services that require data that your identity vault does not contain? Often the solution is to put workflows into place to get the data that you need into your directory. When you go this route however, you’ve added man hours back into the provisioning process that cuts into the benefits you see from this kind of management service. As many of you have no doubt already determined, the best practice would be to already have this information in your vault, but where does it come from?

Most organizations use some kind of payroll or human capital management (HCM) software to keep track of human resources, salary, positions, and even information about your departments, facilities, and divisions with some solutions. Often when writing connectors/drivers only the information that is thought to be necessary at that time is aggregated and pulled into the IDM vault. However, in the future it is hard to tell what applications you will integrate or what those applications will need in order to provision or update identities. So when presented with a system like a payroll application, it is always in the best interest of your project to pull in all possible data. Even if you don’t have a reason to contain something like a “secondary state work license number”, a field may need that value in the future and it’s always going to be easier to pull the information in when you’re developing a connector/driver the first time, then to come back later and extend its schema.

I hope you found this information helpful and that you keep this in mind the next time you’re looking at a connector/driver to a system that contains extra data. If you have questions about this, feel free to leave a comment below or contact us directly.

Novell SecureLogin 7 and Securing Sensitive Authentication Information

Single sign-on, or SSO, is a type of access control for software systems to use to authenticate users’ credentials when accessing secure systems. SSO helps reduce password phishing and password fatigue by allowing the users to only enter their password once. This extra form of authentication also supports conventional authentication like Windows Credentials, and allows a company using SSO to reduce the costs of IT help desk calls regarding forgotten passwords. There are many vendors out in the marketplace for Single Sign-on software, but one that is exceptional and easy to integrate into most Windows based systems is Novell SecureLogin 7.

Novell SecureLogin 7 supports eDirectory, Active Directory, ADAM Directory, and other LDAP v3 directories, and also has a web wizard to enable SSO for websites. All SSO data can be backed up and restored using Novell SecureLogin making it much easier to maintain and secure user credentials. Many companies today are using smart-card access for door entry as well as computer access to help with security of important information. SecureLogin also offers support for smart-cards, biometric software, and integrates well with Card Management Systems.

Novell SecureLogin provides the highest standard of security and protection by using Triple DES (Data Encryption Standard) and AES (Advanced Encryption Standard) algorithms for the encryption of sensitive user data. The software can even capture an audit trail of SSO activity in Novell Sentinel so the events can be viewed through Windows Event Viewer. Also, implementation of SSO no longer requires administrators to learn complex scripting languages to implement SSO functionality, with SecureLogin, the wizard will automatically generate the scripting for them. This will decrease the amount of time it normally takes to enable a mixed-infrastructure from weeks to mere days.

A favorite success story for Novell SecureLogin involves a medical group based out of central Florida. In this success story, which can be read here, the medical group deployed Novell SecureLogin and Novell Modular Authentication Service to help safeguard electronic medical records and help with lowering cost of support. They also integrated SSO with a fingerprint biometric solution to ensure maximum protection of the records being stored in their databases. Securing and maintaining sensitive information about patients and medical histories is important to any medical company, so having authentication software in place can help with strengthening security over access to records. Not only did integrating SSO help with maintaining security for the medical group, but it also helped with reducing their IT costs and improving employee productivity.

Attachmate acquired Novell in 2011. Since its acquisition, the Novell brand has had its products split distributed into four different companies. The identity, security and compliance products from Novell are now under the NetIQ brand name. Action Identity references these products as "NetIQ" products in place of its former name, "Novell." The products that are rebranded include Novell Compliance Management Platform, Novell Privileged User Manager, Novell Sentinel, Novell Secure Login, Novell Access Manager (Novell iChain) and Novell Identity Manager.

Action Identity will continue to be a preferred, Platinum Identity, Security and Compliance partner with Novell Identity Management products, even as they fall under the NetIQ brand name. NetIQ will continue to develop and provide excellent support around the Novell suite of identity, security and compliance products. Action Identity is here to answer any questions you have about NetIQ/Novell. We are able to support and offer services for existing Novell customers as well as guide those new and prospective NetIQ customers.

Look forward to more blogs in the future on the ease of integration of Novell SecureLogin as well as more success stories from companies utilizing Single Sign-on for their businesses. The security policies for systems, applications, and websites can be easily and quickly enforced with products like Novell SecureLogin.

I hope you have enjoyed this blog. If you have any questions on this topic, leave a comment below and we’ll get back to you shortly. To learn more about Action Identity and Novell SecureLogin, visit our website. To contact us directly, please click here. We look forward to hearing from you.

Interested in learning more? Check out these entries:

Novell Secure Login: A Premier Single Sign On Solution

Novell Cloud Security Systems

Thursday, February 2, 2012

CJIS Advanced Authentication Requirements and naviGO Software

Introduction to CJIS Requirements and naviGO Software

Local, state, federal law enforcement and criminal justice agencies have started to comply with the recent mandatory authentication policy requiring advanced authentication when accessing the Criminal Justice Information System (CJIS) database. This system provides agencies with access to information such as fingerprint records, criminal histories, and sex offender registrations to name a few. The advanced authentication that is being put into place requires users to provide two forms of identification, physical and “something you know”, in order to access the highly sensitive information stored in the database. Physical identification would be when a contactless smart card is placed on a reader, and “something you know” would be when the user has to input a password or PIN number.

Many organizations today are already making use of new technology for access to parking garages, buildings, and computers. For the project I am currently working on, a HID OMNIKEY RFID contactless card reader is being used to demonstrate the strong authentication methods of naviGO software. NaviGO software, in combination with both contact and contactless readers, simplifies deployment of strong authentication and works well with Windows operating systems.

NaviGO’s Ease of Use

Many people today are already becoming familiar with contactless card technology whether for work, school, or at their local gym. Contactless readers are being installed in entrance ways and gates to regulate access to only those who have an active account with the organization. There are many different types of contactless cards, most common are the types that are similar to the standard credit card or ID. The NaviGO Server works with many types of smart cards including Crescendo, digital certificates, iClass, Prox, and Knowledge Based Authentication (KBA). Some new types of smart cards include some that can be put on a key ring, or stickers that can be used to grant access into buildings and computers.

Using naviGO software, administrators can control user credentials issued via contactless cards. The naviGO Administrator's Portal gives the ability for strong authentication to be customized based on policies or rules set by each organization. NaviGO can use information stored in Microsoft’s Active Directory to issue smart card credentials and apply user roles based on the group permissions (i.e. Administrators with Full Access, Users with Limited Access). Since many organizations are already using contactless cards for building access, this software will make use of the existing access cards to provide two-factor authentication.

Since most people are already familiar with access cards, they won't have to learn anything new or rely on calling a help desk to use the same card that let them enter the building to logon to their computer. This will make the transition for following the new authentication policies painless and less confusing.

Closing Remarks about Security

An administrator can setup default PINs for new employees as well as a default set of Emergency Access questions. A number of questions are predefined in the naviGO Workstation, but unique questions can be made and added to the system depending on the administrators’ preferences. Additionally, rules for setting a PIN can be customized for added security. Email alerts can be setup using the naviGO Administrator’s Portal to keep users informed of PIN or Password expirations and Unintended access.

NaviGO Software has helped make advanced authentication much easier for small and large companies. For more information about how this specifically applies to the CJIS Mandate, CJISMandate.com.

Thank you for taking the time to read my blog about naviGO Software and the CJIS Advanced Authentication Mandate. If you have any questions, feel free to comment below as I am more than happy to answer any questions or comments.

To learn more about Action Identity, and how we can assist in making your organization CJIS compliant, visit our website.

Interested in learning more? Check out these entries:
What is IDM?
Messaging Protocols SOAP vs. REST, Which One's Better?
View More...

Novell SecureLogin 7 and Securing Sensitive Authentication Information

Interested in learning more? Check out these entries:

Novell Secure Login: A Premier Single Sign On Solution

Novell Cloud Security Systems

Tuesday, January 17, 2012

The Necessity of Identity Management

Over the past couple months we have posted an influx of blogs, articles, videos, and reviews all discussing various facets of Identity Management. However we recognize that a simplistic overview of the essentials of Identity Management seems to be absent, and its intrinsic value is one that should not be missed due to confusion. It’s because of this need that we feel compelled to write this week’s blog post on the necessity of Identity Management, and break it down to its core values.

Identity Management is a powerful tool that can consolidate even the largest corporation. With the rising amount of credentials that employees need to maintain, it is becoming increasingly difficult to keep track of user accounts for each application within an organization. Studies have shown that employees (both past and present) pose a great threat to an organization; even more so if they leave on bad terms. Several questions then arise: What applications did this user have access to; how many user accounts did the user own; how is this data maintained; and lastly, who is responsible for removing or disabling the accounts? For organizations without a central solution for dealing with a user’s application accounts, the time it takes to identify and remove these accounts can vary greatly, often leaving a window of vulnerability open.

That’s where Identity Management solutions come into play. With Identity Management, administrators within an organization can control access to resources with the click of a button.

In a simple example, an organization has two resources where users exist: The first is a directory service and the second is a database. The directory service is used to authenticate users against machines they work on; it also grants them certain permissions based on their group membership within the directory. The database is a billing system where users simply exist, but administrators can view and manipulate data regarding payments for employees. Each of these resources requires their own user account for authentication, meaning the credentials can vary between the directory service and the billing database. If a user joins this organization, who determines the username and password associated with the applications? How are these two resources connected? In our simple example, it is easy to maintain a list of users and their accounts by hand. Now, throw in a mailing system, two terminal emulation applications, software for marketing, a help-desk solution, et cetera. The list goes on as a company expands, and as this company grows, maintaining that list, which originally consisted of two applications, grows increasingly difficult.

With an Identity Management solution, the process of creating, maintaining, and removing accounts is completely centralized. How is this accomplished? An Identity Manager can connect to any resource within an organization using customized code, known as connectors. These connectors allow the identity representing an employee from within the Identity Manager itself to be provisioned to target applications, connecting the IDM user object with the application user objects. With an IDM (Identity Management) solution, administrators can standardize the naming of user accounts, based on the resource the user is being provisioned to. For example, some applications may have a first initial/last name convention, while others have a first name/last name convention. With an IDM, this customization can be supported while providing the necessary consolidation.

The process for provisioning varies drastically between resources, as each requires different information from the user in order to function properly, and the user-object within IDM is completely customizable to account this.

What if an account is created within an application, but not in the IDM? The connectors can be configured to account for that. Through the process known as reconciliation, IDM can actively scan for new accounts in an application and then add it to its own collective list of identities. With both provisioning and reconciliation enabled, organizations can enjoy bidirectional synchronization from an Identity Management solution and its connected applications. Organizations can also enforce unidirectional synchronization by disabling reconciliation or provisioning for certain applications, as they see fit.

One last feature, and probably one of its greatest features is the ability to allow users to request access to the connected resources. By creating approval workflows, an organization can designate the IDM as their focal point for requesting access to resources. Approval workflows can be enforced per resource to ensure that once a request is raised, designated approvers receive the information regarding the request and can approve or deny it accordingly.

An Identity Management solution is essential for companies that are experiencing problems with maintaining user accounts across applications. It offers a single point of control that allows for the provisioning and de-provisioning of user accounts to or from any connected resource. It also grants employees a central place to go to request access to these resources, allowing for designated individuals to approve or deny the request before access is granted. The issues of granting a new user access to all of their necessary resources, and removing a user’s access from resources when they leave the organization, can all be solved by a click of the mouse through the central platform of Identity Management.

I hope you all have found this article helpful. If you have any questions regarding Identity Management, feel free to leave your comments here. I’ll be happy to answer any questions you may have.

Action Identity is a premier provider of Identity and Access Management solutions, offering solutions from distinguished partners like Oracle, Novell, NetIQ, ForgeRock, and Symplified to name a few. To learn more about Identity Management and a tailored solution for your company, please visit Action Identity’s website. To contact us directly, please click here.

Simiar Articles:
What is IDM?
Google Apps for Business & the Cloud
Much to do about Gmail, Password Management, and Your Smartphone
Read more...

Tuesday, January 10, 2012

Google Apps for Business & the Cloud

Everyone working directly or indirectly with IT has heard the word "cloud" uttered numerous times over the last two years. The term can be defined in many ways depending on who you are talking to and what the context of the conversation is. One very simple definition relates to the idea of accessing a service that is not running on systems within an organization's data center(s). One such example is the idea of running traditional desktop software applications via the web browser. These applications could include: email, calendar, contacts, word processing, spreadsheets, slide presentations, and collaborative work on documents. Over the last 15-20 years, Microsoft has had the vast majority of the market share with its Office and Exchange products. This required the Office software to be installed on each individual PC and having the Outlook application point to an Exchange server running within the organization's data center(s). With the steady increase in services being offered in the "cloud," other options are now available to customers. In February of 2007 Google introduced their version of running these applications in the cloud. During the last five years, over four million businesses have decided to implement "Google Apps for Business" as their methodology for running some or all of these applications. When customers approach the end of their enterprise license agreement with Microsoft for Office and Exchange, they may consider moving to Google Apps for Business as an alternative. There are circumstances where Google Apps is potentially a perfect fit and there are circumstances where it may not be a viable option. Consider the following:

Potential Benefits for Migrating to Google Apps for Business:

* Email, Calendar, Contacts, Word Processing, Spreadsheets, Slide Presentations, Document Collaboration are all available in the web browser
* No ongoing maintenance of desktop software
* No servers necessary to maintain in the data center
* Enhancements are continually migrated into the product over time
* 99.9% "up time" Service Level Agreement (SLA)
* Complies with an SSAE 16 Type II audit
* Has achieved FISMA (Federal Information Security Management Act) certification
* 2 Step Verification available at no extra cost
* Employees need to use a wide range of mobile devices including Android, iPhone, Windows Mobile, and Blackberries for email as well as other applications.
* Simple and predictable licensing model

Potential Reasons for not Migrating to Google Apps for Business:

* Spreadsheet "power users" will not have access to all the functionality they may be used to
* Outlook users who are used to certain features when connected to Exchange will either have to switch over to the web interface or be willing to go without certain features
* Technical support is limited via email and phone
* Certain organizations may require more than the 99.9% up time SLA.

Google Apps for Business is not a perfect fit for all organizations. It is a great option for some and not for others. What about your organization? Would it work for you? Why or why not?

To learn more about Action Identity and the services we provide, visit our website. To contact us directly, please click here.