The Future of IAM

Where is Identity and Access Management headed? What do consumers need for the future, and what defines a ‘consumer’ as compared to a ‘user’?

With technology being a big part of any business, the future of IAM carries great meaning, especially as concepts like cloud solutions, IDaaS (Identity as a Service), BYOD (Bring Your Own Device), IDoT (Identity of Things) and many others get bandied about and become more mainstream. Regarding the future of IAM, both Gartner and KuppingerCole have created outlines for the direction IAM will take. Looking at Gartner‘s IAM research team, they have tried to quantify their vision and identified 5 key trends:

1. Every user is a consumer

New mobile and other non-PC architectures will shape the user access landscape.

Enterprises are demanding scalable solutions for identities and starting to embrace social media, cloud options and BYOD scenarios. This shift requires a business-driven self-service approach to simplify the added complexity that comes with allowing users some control. Faster IAM deployment, mobility options and scalability are driving new IAM solutions, pushing out old and rigid control paradigms that require technicians to maintain. With every user requiring consumer privileges, IAM architectures will need cater to the business as a whole, providing simple interfaces that work across desktop and mobile devices in order to keep up.

2. A competitive marketplace for identities

Social and business identities are converging; the line between work and private life is increasingly becoming blurred, even severed to the point where the two sides meld together for the convenience of the user and the business advantages to the employer. Social Logins from providers like Google, Facebook and PayPal have slowly been working their way into applications that are serving enterprises. Already, several healthcare, automotive, oil and gas, aerospace, defense and government infrastructures use third-party SSO identity providers to support their ID initiatives.

3. The death of least privilege

Enterprises will increasingly remove restrictions on non-critical or non-sensitive information and assets, allowing all users access to these resources. By opening up basic access to everyone, privileged access becomes easier to manage and IAM costs can be reduced. The principle of least privilege originated with government and military information security policies based on the premise that each user should only have access to the very specific systems and resources they require to complete the individual tasks they are assigned. It’s like putting keycard locks on every single door, cubicle, workstation, toolbox, machine and phone in the building, and then not providing a common room. Obviously enough, the principle of least privilege brings lot of administrative duties with it, and can be highly costly and time consuming to control. One way to be more lenient is to introduce a people-centric approach to security. People-centric security involves identity analytics and intelligence tools, like security behavioral analytics, to monitor, detect and correct user activity and behavior.

4. Attributes are “how we role”

Attribute Based Access Control (ABAC) will be the future for enterprises. Traditional Role Based Access Control (RBAC) is one-dimensional and rigid, making it unwieldy for handling the influx of devices, applications and connections through social media that can add up to ‘big data’—data so large that it requires complex systems just to read through it all. ABAC makes the needed connections automatically by looking at attribute profiles that can still include traditional roles, providing an extra layer that looks at the user first, rather than all the technical stuff. More and more new systems are supporting ABAC and systems that only support RBAC will become legacy. “Attributes will become the new currency of access control.”

5. Managing identity includes the Internet of Things

From the ISSA paper on the Gartner predictions:

The Internet of Things (IoT) links people, places, things, systems, and information sources into activity streams, deriving value for those interactions and relationships by using the context of combined “identities” (people, devices, and other “objects”), their attributes, and uses.

The internet is everywhere. No longer content with serving linked documents in a browser window, the internet has become a rich platform for doing almost anything, and it has been showing up more and more in every kind of machine, contraption, device and app mankind can come up with. For people and objects to interact properly, everything needs to have an identity: smart phones, smart lamps, smart watches, and other ‘smart’ gear, not to mention individual components of larger systems like those involved in building automation. Do an internet search on how to control your thermostat with your watch and you will quickly see that anything and everything is being networked nowadays. Managing all of these connected identities is known as the Identity of Things (IDoT). Keeping so many disparate devices running properly in an enterprise environment requires a single platform that interface with and control them all from a central location, in other words, an IAM solution that is ready for it.

Conclusion

As the requirements, definitions and scope of IAM continue to expand and evolve, companies that provide IAM solutions will need to update their services and tools accordingly in order to handle all that data in a simple and user-friendly manner. Many of KuppingerCole‘s fundamentals and Gartner‘s vision for what IAM will look like in 2020 are already being covered now by IDM365. By always focusing on the user and giving control to the business’s decision makers through hybrid ABAC/RBAC, we make sure users have the right access based both on who they are what they need to do. Through automation and an interface that speaks to non-techies, IDM365 is future friendly tool for identity and access management that is ahead of the curve.

Sources

Identity and Access Management 2020, by Ray Wagner
Seven Fundamentals for Future Identity and Access Management, by Martin Kuppinger

IDM365

Udgivet i Uncategorized | Skriv en kommentar

VBS – Logging the SCCM-way

Visual Basic Scripting history:

VBScript (Visual Basic Scripting Edition) is an Active Scripting language developed by Microsoft that is modeled on Visual Basic. It is designed as a “lightweight” language with a fast interpreter for use in a wide variety of Microsoft environments.

VBScript has been installed by default on every desktop release of Microsoft Windows since Windows 98, on Windows Server since Windows NT 4.0 and optionally with Windows CE.

Visual Basic Scripting is becoming an old scripting language but is still a very simple and useful language working with and around System Center Configuration Manager (SCCM).

The script snippet include 3 functions. These functions are designed to format, sort and print the information defined and current date/time when calling the function.

Set objOutputLog = oFSO.OpenTextFile ([“Log file location”], 8, True) 

Modify the above line in the script to the desired log file location

objOutputLOG.WriteLine formatTrace32Line([“Information”], [“Category”], [Highlight value]

Modify and use the above line whenever a log entry is needed within the script. Here is an example of the output using SCCM’s log parser, Cmtrace.exe/Trace32:

Download the script here.

Udgivet i Uncategorized | Tagget , , , , , , | Skriv en kommentar

The IDM365 Attribute Store

What is the IDM365 attribute store?

As its name suggests, IDM365’s attribute store stores the different attributes for identities that have been configured through IDM365.

Each business has their own requirements that may require different types of attributes for each of their users. One business may provide workers with a ‘salary number’ that they want stored or reflected in AD somehow, perhaps for backup purposes.

Another business might use ticket numbers and require additional details for contract workers, and a third might have a virtual department set up for robots and machine workers that require a spec sheet. The concept of the attribute store is to generalize these rules so that the attributes needed can be specified for each group of identities from a single interface.

Through the IDM365 interface, attribute store managers are able to specify the exact attributes that are required for users depending on the attributes they already have. The attribute store will then be referenced when setting up new identities, only asking for those attributes that have been set up for whatever divisions have been selected. For example, users in a specific business unit, department, location or other type of division may require certain contact information, and users with temporary employment may require stored information regarding the work they have been assigned. The attributes required for each identity will be reflected in the fields that are shown in the interface.

When configuring what attributes should be requested, the attribute store manager can select the type of field and data that is needed. For example, the user’s gender could be set up as a multiple choice option, their date of birth as a date entry, a signature line as a free-text area, and a scanned employment agreement as a file upload. As mentioned before, every business, enterprize, organization, office, workplace and otherwise is different; the attribute store is 100% configurable to accomodate those differences.

Features

  • Management-friendly configuration of required attributes from the same IDM365 interface used for identity and access management.
  • Custom attributes per client that can be synchronized to systems based on logic and business rules.
  • Configurable data types for requested attributes.

SOURCE: IDM365

Udgivet i Uncategorized | Skriv en kommentar

Implementing an IAMG solution?

Identity and Access Management and Governance is a solution that has an impact on your business organisation as a whole, not only on the IT organisation. Controlling the whole user lifecycle management and ensuring that the users have access to only what they need to fulfil their job, is a task that takes considerable workload away from IT and makes it possible to empower the business organisation for self-service.

In order to assess which IAM solution is most feasible, it is necessary to prioritise what benefits to achieve on a short- and long term. In order to ensure buy-in from the business organisation, make sure that benefits are valuable for the key stakeholders in the organisation. Before implementing a IAMG solution, it is important to decide how and who to address in the organisation:

Review current processes and organisation: Check that internal policies (risks, governance standards, and workflows) are documented, correct, and up-to date. Depending on the readiness of the organisation and matureness of current processes, establish a baseline in order to measure benefits. You need consider if a pre-analysis or an initial AD Clean and Assessment are needed, in order to establish quantitative data for a business case and to get an overview of the current state.

Understand the stakeholders’ needs: Understand the impact and make the benefits visible and valuable. Establish a baseline of current processes in order to measure benefits and enhance buy-in from the stakeholder community. Make the impact visible and valuable for the relevant business.

Roll-out strategy: Successful IAM implementation can take up to three years – if all record and engagement systems are to be integrated across business units and business sites. Align the roll-out strategy with the organisation readiness, processes and consider the extend of diversity within the organisation.

Lead the change: Engagement is the key to a successful deployment and critical for the governance. Involving the right people across the business and to get buy-in from system owners, executives as well as end users, are critical to make full benefit of an IAMG solution.

Udgivet i Uncategorized | Tagget , , , , , , | Skriv en kommentar

MDM and MAM – just buzzwords?

Mobile Device Management seems to be one of the newer buzzwords, but what exactly is it and why do we need it?

With every new device and the contentious stream of software updates, mobile devices are getting increasingly more advanced and flexible, allowing the users to access more information and data through e.g. mobile friendly websites, Appstore apps, and even purpose build apps. This of course includes corporate data.

This obviously presents a risk of corporate data finding its way into the wrong hands. Either by accident or theft. In some organizations this risk is unknowingly neglected.

One way to minimize the risk is by simply limiting or removing access to the data – by removing access to Exchange Active Sync, SharePoint etc. However, this is far from ideal, as it limits the productivity and flexibility of the individual employee.

Mobile Device Management solutions allows you to maintain the mobile benefits for the employees while still ensuring a high level of security, even with BYOD devices!

There are many mobile device management solutions on the market and the amount of features varies quite a lot, so it is important to identify exactly what you are trying to achieve, whether it be the basic easy to configure and manage MDM solution that are typically bundled with other software solutions or the standalone full-blown MDM/MAM solution that includes advanced policy configurations, per app VPN, App wrapping and much more.

If you are looking to secure your mobile devices, we can help you though the MDM jungle, to make sure you get the right solution for your organization.

Udgivet i Uncategorized | Tagget , , , , , , , , , , , , | Skriv en kommentar

Migrating File Server from Windows Server 2003 to Windows Server 2012 R2

To follow up on my previous blog post regarding Radius from Windows 2003 to Windows 2012 due to the End-of-life of Windows 2003 on July 14th 2015, I will continue down this track and provide you with a simple guide to migrate the File server from a source server, running on Windows 2003 to target server on Windows 2012 R2.

– (On the Target Server) Run below command to start the Initial copy of the data. 

robocopy \\source_server\source_folder <Drive letter>:\target_folder /e /zb /copyall /log: <Drive letter>:\:\initial_copy.log

– (On the Source Server): Export below registry key

HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\lanmanserver\Shares

– (On Source server) Stop Sharing the shares in “Computer Management > Shared Folders > Shares

– (On the Target Server) Run below command to start the incremental/Finial copy of the data

​robocopy \\source_server\D$\source_folder <Drive letter>:\:\target_folder /e /zb /mir /log: <Drive letter>:\:\mirror_copy.log

– (On the Source Server): Import below registry key that you just have exported in the “Step 2”

HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\lanmanserver\Shares

Link (Robocopy – Command-Line)
Link (Saving and restoring existing Windows shares)

Udgivet i Uncategorized | Tagget , , , , , | Skriv en kommentar

What about Single Sign-On?

Is Single Sign-On (SSO) and Identity and Access Management (IAM) the same? How do password resets differ when using SSO? What is best: a specialised SSO solution combined with a specialised IAM solution, or a “one-size-fits-all” solution?

SSO vs IAM

SSO and IAM are two different ingredients for managing identities and system access in general. SSO provides a single login so that users only need to sign in once for access to multiple resources, while IAM provides a unified way to control access to individual resources, both working across all connected systems and software. You can easily have SSO without IAM, and IAM without SSO; the responsible IT department will have both. SSO and IAM provide the greatest protection when they work together.

Password Resets

A major concern when it comes to identities is how to deal with passwords, especially when they need to be provided, replaced, or reset. When resetting a password, a randomized password or login key will be supplied. The password policy on the individual system will then decide if the new password or key can be kept, or if the user needs to change it directly upon their first login after the reset.

When resetting a password via an SSO solution, the SSO platform (1) handles passwords according to the local security or password policy (2) synchronizes the new password with all available platforms and (3) ensures that once you’re logged in, no further login is required even when you change from system to system. In addition to the three basic tasks, a specialised SSO platform will conform exactly to your specific security requirements and be able to handle things like two-factor authentication, biometrics, chip cards, SMS codes, picture puzzles, etc. The greater capabilities of a specialised solution built by specialists in the field help to ensure the highest level of security from any device on your infrastructure!

The Best Solution

Which is best: an all-in-one solution, or separate, specialized solutions? Well, it all depends.  [:-)]  But you knew that, right?

Personally, I find that I get the highest quality and standard of service by going to the specialists and utilizing specialized tools where available. I really like the freedom of being able to, at any given time, replace a part of my infrastructure with the “modern standard” for the future, or to flexibly comply with new legislation, new compliance demands, or new customer demands without changing out a whole suite with one that suits the new functionality. And, when it comes to SSO, it is such a crucial and fundamental part of my basic infrastructure that I want the best; then I want an IAM solution that both integrates seamlessly with my infrastructure and can match the quality level and security that I have decided on.

What does that all mean? It means that choosing an SSO tool will not solve your challenges with regards to Identity and Access Management. It means that choosing an IAM tool will not fully cover your password security policy. (At least I hope not… If so, I suggest you aim higher.) But together they provide you the best possible control over your users, their access rights, passwords, support, self-service, and much more.

So, choose an SSO solution that fits your security standards (and then some), and make sure they provide a useful API so that there is a means of integrating with it. And, choose an IAM / IDM tool that integrates with any SSO vendor you can think of (including your vendor of choice)—one that smoothly enables your colleagues to handle self-service tasks regarding access rights management, password resets, and so on.

SOURCE: IDM365

Udgivet i Uncategorized | Tagget , , , , , , , | Skriv en kommentar