The Identity & Access Management Blog: February 2012

Tuesday, February 28, 2012

Oracle University Classes for Identity Management

Since our blog’s inception, we’ve covered Oracle OIM, OAM, and other identity and access management products. Previously we’ve had guest bloggers from GCA Technology Services lend their talents to feature posts related to training and various IDM training classes. Today we have the pleasure of featuring another collaborative entry by an Oracle awarded GCA instructor to highlight Oracle identity management courses available to you.

In addition to offering an impressive array of identity and access management solutions, Oracle University in partnership with GCA Technology Services offers classes to suit your IDM training needs. In the courses listed below, you could learn the essentials for OIM 11g, and learn to have a successful implementation and maintenance of an entire OIAM stack.

Oracle Identity Manager 11g: Essentials Course: D65160GC10

This class is a good introduction into the entire "OIAM Suite" of software products. It includes an overview of the structure of "Managed Servers" (such as OIM and OAM) on top of the Oracle 11g Weblogic Server. This concept is central to understanding the stack and applies to the entire "Fusion Middleware" infrastructure.

You’ll learn about the basic components of the OIM environment and how they work together. Also covered are best practices for starting/stopping/restarting the components in the correct sequence.

Oracle Identity Manager: Administration and Implementation Course: D52945GC10

This second-level OIM class delivers basic administration skills and more. Moving beyond a basic installation into the realm of customization, this class gives you a look into the working details of "connectors" -- the Java-based code that allows OIAM to communicate with literally any kind of external resource.

Many commonly-used resources can be configured using pre-defined connectors. Custom connectors can also be deployed for other resources using the GTC framework (Generic Technology Connector). All connectors can be deployed for provisioning, reconciliation or both.

Oracle Access Manager 11g: Administration Course: D63114GC10

Building upon the infrastructure described above, the OAM class gives you solid procedures for implementing "Access Management" -- that is, the ability to grant or deny access to websites/programs/severs of any type necessary. This requires a functional OIM environment, as OAM itself does not manage user data (it is not a stand-alone product), but must be used within the context of OIM.

This course presents a complete understanding of what is required to install, configure and deploy Oracle Access Manager utilizing WLS, WebAgents and mod_osso. Backward-compatibility for OAM 10g is also covered.

Oracle Directory Services 11g: Administration Course: D58676GC10

All OIAM services depend upon an LDAP server, typically OID. This class gives both an introduction into the concepts of LDAP as well as day-to-day specifics of managing OID/OVD. These are necessary core skills for the successful implementation and maintenance of the entire OIAM stack.

OID concepts and architecture are covered, as well as server replication procedures. Also covered are methodologies for the input and retrieval of data with the LDAP server including GUI, command-line tools, using LDIF files and bulk loading.

Oracle Identity Analytics 11g R1: Administration Course: D68340GC20

One of the main purposes for implementing OIAM is to provide centralized accounting and reporting of user access to resources. This class provides the learner with vital skills in analyzing and reporting that data.

Included are procedures on how to provide a complete view of access-related data that includes not only the user's access of a resource, but also the "who, why, how and where" of that access. Oracle Identity Analytics reduces operational risk exposure by providing a 360-degree view of user's access. This empowers an organization to make intelligent decisions about the type and level of access assigned to users.

Action Identity invites you to visit GCA.net/Oracle for a complete schedule of all Oracle University courses. We hope you found this information helpful and that you keep this in mind the next time you’re looking for identity and access management training. If you have questions, feel free to leave a comment below or contact GCA for further training information.

Action Identity specializes in business solutions involving technologies such as Identity and Access Management solutions. We are more than a technology company. We provide our customers with the strategic thinking, architectural vision, investment control, and practical solutions that save money, return value to the lines of business, and holistically implement solutions to preserve operations typically impacted by change and modernization. To learn more about us, visit our website. If you’d like to speak with us directly, please click here.

Still have questions? Contact us!

Thursday, February 16, 2012

A Smart Choice in Identity Management: CA IDM

Lately there has been a large influx of newly minted Identity Management products, and deciphering the overall grade of a product is undoubtedly a heavy undertaking. Simply put, it’s hard to weed the good from the bad. After wading through the different IDM solutions out there, one that stood out was CA. CA’s Identity Management Suite makes things faster, easier, and less error prone than having your IT department do it by hand. In fact, Gartner has consistently positioned CA in the exclusive “Leaders” quadrant for a variety of ranking. With CA you’re working with a trusted name in the industry.

CA Identity Management provides a lot more than just the common Identity Management solution. With this, user provisioning and removal, as well as any approval processes the user may need throughout his life-cycle, is automated. This allows for less human error by the IT department, preventing accidental access to services the user simply should not have. Workflows can schedule these events, and are completely customizable, allowing you to customize organization approvals and alerts. CA Identity management also supports customization on connectors without having to completely write, manage, and support custom code created by a technical consultant.

The CA Identity Management Suite also provides a core for the control of all users, roles, and policies you need for multiple identity services. You can collect and synchronize all users’ attributes, roles, and identity tasks to one hub, allowing for ease of access across your entire company. After aggregating all user data, users can login and update their personal information (i.e. street address, last name, postal address, password reset) on their own, freeing up your IT department for allocation on other pressing matters. They can also request access to certain privileges via the process of workflows, which can be approved by senior members of your team.

CA Identity Management also supports cloud applications in addition to the on-premises apps other identity management suites proudly boast. Connecting to cloud applications via CA Identity Management allows for your business to manage everything from a single point of access. CA Identity management has out-of-the-box connectors to interface with applications such as SAP, Active Directory, and Salesforce.com.

After reviewing the facts, CA Identity Management appears to be a sublime IDM solution. With cloud application support, automated user management, and user self-servicing, CA Identity Manager provides your company with everything you need to create a more optimized, efficient, and resource saving solution for all your businesses compliance and identity management needs.

The Importance of Aggregating Data

What do you do when integrating Identity Management with your enterprise and your company’s applications, and there are applications or services that require data that your identity vault does not contain? Often the solution is to put workflows into place to get the data that you need into your directory. When you go this route however, you’ve added man hours back into the provisioning process that cuts into the benefits you see from this kind of management service. As many of you have no doubt already determined, the best practice would be to already have this information in your vault, but where does it come from?

Most organizations use some kind of payroll or human capital management (HCM) software to keep track of human resources, salary, positions, and even information about your departments, facilities, and divisions with some solutions. Often when writing connectors/drivers only the information that is thought to be necessary at that time is aggregated and pulled into the IDM vault. However, in the future it is hard to tell what applications you will integrate or what those applications will need in order to provision or update identities. So when presented with a system like a payroll application, it is always in the best interest of your project to pull in all possible data. Even if you don’t have a reason to contain something like a “secondary state work license number”, a field may need that value in the future and it’s always going to be easier to pull the information in when you’re developing a connector/driver the first time, then to come back later and extend its schema.

I hope you found this information helpful and that you keep this in mind the next time you’re looking at a connector/driver to a system that contains extra data. If you have questions about this, feel free to leave a comment below or contact us directly.

Novell SecureLogin 7 and Securing Sensitive Authentication Information

Single sign-on, or SSO, is a type of access control for software systems to use to authenticate users’ credentials when accessing secure systems. SSO helps reduce password phishing and password fatigue by allowing the users to only enter their password once. This extra form of authentication also supports conventional authentication like Windows Credentials, and allows a company using SSO to reduce the costs of IT help desk calls regarding forgotten passwords. There are many vendors out in the marketplace for Single Sign-on software, but one that is exceptional and easy to integrate into most Windows based systems is Novell SecureLogin 7.

Novell SecureLogin 7 supports eDirectory, Active Directory, ADAM Directory, and other LDAP v3 directories, and also has a web wizard to enable SSO for websites. All SSO data can be backed up and restored using Novell SecureLogin making it much easier to maintain and secure user credentials. Many companies today are using smart-card access for door entry as well as computer access to help with security of important information. SecureLogin also offers support for smart-cards, biometric software, and integrates well with Card Management Systems.

Novell SecureLogin provides the highest standard of security and protection by using Triple DES (Data Encryption Standard) and AES (Advanced Encryption Standard) algorithms for the encryption of sensitive user data. The software can even capture an audit trail of SSO activity in Novell Sentinel so the events can be viewed through Windows Event Viewer. Also, implementation of SSO no longer requires administrators to learn complex scripting languages to implement SSO functionality, with SecureLogin, the wizard will automatically generate the scripting for them. This will decrease the amount of time it normally takes to enable a mixed-infrastructure from weeks to mere days.

A favorite success story for Novell SecureLogin involves a medical group based out of central Florida. In this success story, which can be read here, the medical group deployed Novell SecureLogin and Novell Modular Authentication Service to help safeguard electronic medical records and help with lowering cost of support. They also integrated SSO with a fingerprint biometric solution to ensure maximum protection of the records being stored in their databases. Securing and maintaining sensitive information about patients and medical histories is important to any medical company, so having authentication software in place can help with strengthening security over access to records. Not only did integrating SSO help with maintaining security for the medical group, but it also helped with reducing their IT costs and improving employee productivity.

Attachmate acquired Novell in 2011. Since its acquisition, the Novell brand has had its products split distributed into four different companies. The identity, security and compliance products from Novell are now under the NetIQ brand name. Action Identity references these products as "NetIQ" products in place of its former name, "Novell." The products that are rebranded include Novell Compliance Management Platform, Novell Privileged User Manager, Novell Sentinel, Novell Secure Login, Novell Access Manager (Novell iChain) and Novell Identity Manager.

Action Identity will continue to be a preferred, Platinum Identity, Security and Compliance partner with Novell Identity Management products, even as they fall under the NetIQ brand name. NetIQ will continue to develop and provide excellent support around the Novell suite of identity, security and compliance products. Action Identity is here to answer any questions you have about NetIQ/Novell. We are able to support and offer services for existing Novell customers as well as guide those new and prospective NetIQ customers.

Look forward to more blogs in the future on the ease of integration of Novell SecureLogin as well as more success stories from companies utilizing Single Sign-on for their businesses. The security policies for systems, applications, and websites can be easily and quickly enforced with products like Novell SecureLogin.

I hope you have enjoyed this blog. If you have any questions on this topic, leave a comment below and we’ll get back to you shortly. To learn more about Action Identity and Novell SecureLogin, visit our website. To contact us directly, please click here. We look forward to hearing from you.

Interested in learning more? Check out these entries:

Novell Secure Login: A Premier Single Sign On Solution

Novell Cloud Security Systems

Thursday, February 2, 2012

CJIS Advanced Authentication Requirements and naviGO Software

Introduction to CJIS Requirements and naviGO Software

Local, state, federal law enforcement and criminal justice agencies have started to comply with the recent mandatory authentication policy requiring advanced authentication when accessing the Criminal Justice Information System (CJIS) database. This system provides agencies with access to information such as fingerprint records, criminal histories, and sex offender registrations to name a few. The advanced authentication that is being put into place requires users to provide two forms of identification, physical and “something you know”, in order to access the highly sensitive information stored in the database. Physical identification would be when a contactless smart card is placed on a reader, and “something you know” would be when the user has to input a password or PIN number.

Many organizations today are already making use of new technology for access to parking garages, buildings, and computers. For the project I am currently working on, a HID OMNIKEY RFID contactless card reader is being used to demonstrate the strong authentication methods of naviGO software. NaviGO software, in combination with both contact and contactless readers, simplifies deployment of strong authentication and works well with Windows operating systems.

NaviGO’s Ease of Use

Many people today are already becoming familiar with contactless card technology whether for work, school, or at their local gym. Contactless readers are being installed in entrance ways and gates to regulate access to only those who have an active account with the organization. There are many different types of contactless cards, most common are the types that are similar to the standard credit card or ID. The NaviGO Server works with many types of smart cards including Crescendo, digital certificates, iClass, Prox, and Knowledge Based Authentication (KBA). Some new types of smart cards include some that can be put on a key ring, or stickers that can be used to grant access into buildings and computers.

Using naviGO software, administrators can control user credentials issued via contactless cards. The naviGO Administrator's Portal gives the ability for strong authentication to be customized based on policies or rules set by each organization. NaviGO can use information stored in Microsoft’s Active Directory to issue smart card credentials and apply user roles based on the group permissions (i.e. Administrators with Full Access, Users with Limited Access). Since many organizations are already using contactless cards for building access, this software will make use of the existing access cards to provide two-factor authentication.

Since most people are already familiar with access cards, they won't have to learn anything new or rely on calling a help desk to use the same card that let them enter the building to logon to their computer. This will make the transition for following the new authentication policies painless and less confusing.

Closing Remarks about Security

An administrator can setup default PINs for new employees as well as a default set of Emergency Access questions. A number of questions are predefined in the naviGO Workstation, but unique questions can be made and added to the system depending on the administrators’ preferences. Additionally, rules for setting a PIN can be customized for added security. Email alerts can be setup using the naviGO Administrator’s Portal to keep users informed of PIN or Password expirations and Unintended access.

NaviGO Software has helped make advanced authentication much easier for small and large companies. For more information about how this specifically applies to the CJIS Mandate, CJISMandate.com.

Thank you for taking the time to read my blog about naviGO Software and the CJIS Advanced Authentication Mandate. If you have any questions, feel free to comment below as I am more than happy to answer any questions or comments.

To learn more about Action Identity, and how we can assist in making your organization CJIS compliant, visit our website.

Interested in learning more? Check out these entries:
What is IDM?
Messaging Protocols SOAP vs. REST, Which One's Better?
View More...