IDM365 identity and access management for the finance sector

Challenges in this sector

Financial service providers (banks, insurance brokers, wealth and asset managers) need to be aware of the requirements for effective identity management more so than in most other industries because of the complexity and risks inherent in the financial environment. Any breach of or lapse in security can be disastrous and costly with potential revenue loss, increased operating costs and a damaged reputation leading the list of harmful consequences.

The regulatory framework that applies to this industry requires full compliance and strict control over what are often highly complex IT environments burdened with a large number of users. The financial sector must deal with increasingly numerous and stringent national and international regulations and regulatory agencies.

Your solution

Identity and Access Governance (IAG) is the most comprehensive way to manage access to enterprise resources. IDM365 here provides a foundation for information security and a top-level way for users to interact with security software and comply with data policies. The Sarbanes-Oxley Act of 2002 (SOX) made corporate governance practices more transparent in an effort to improve investor confidence. IT is a major player when it comes to being SOX compliant as the majority of data required for financial reports are generated or stored electronically.

Compliance regulations

IDM365 helps your organization achieve compliance with regulations such as:

  • The Sarbanes-Oxley Act of 2002 (SOX)
  • Basel II
  • ISO 27001

Operational risk challenges

Proper Account Termination
Research shows that over 40% of user access rights are not removed upon termination. These orphaned accounts increase risk exposure by a factor of 23—a staggering amount.

Management of a Central Security Policy
It is critical not only to define a central security policy but also to ensure that it is implemented and enforced across the entire organization.

Controlled Sharing of Information
Ensuring that different business units in your company can’t involuntarily share sensitive information is crucial for a company of your stature.

Secure Audit Trails & On-Time Reporting
A critical component of any operation is the detailed and trustworthy logging of information to later be used in audits. This data is to alert auditors of any potential compromises.

Secure Procedures for Access to High-Risk Systems and Databases
Ensuring that all the correct users have access to secured systems can be both difficult and tedious to manage. Properly managing access to these high-risk systems and databases is an essential component.

IDM365 solutions

IDM365 security features

  • Complete and immediate removal of access carried out across all resources when a user is terminated, done with the push of a button
  • Centralized security policies enforced across all users and systems
  • Approval workflows integrated to ensure proper tracking and fulfillment
  • Detailed records kept of every change carried out across the entire infrastructure producing reliable audit logs (i.e. access requests, authorization decisions and administrative changes)
  • Who has access to what information can be determined immediately
  • Adherence to the approval process can be measured in just three clicks
  • Access management handled through automated processes for the entire user life cycle
  • Centralized Identification and authorization for all applications
  • Tighter security and sustained compliance management via detailed reporting and secure audit capabilities

Notable Security Statistics
According to a recent Forrester report, over 60% of breaches originate from insiders due to either inadvertent misuse of data or malicious intent.

Challenge of cost reduction and optimization

Tedious manual operations
Forms are often manually filled out and sent out, requiring stamped approval by one or more managers. IT personnel who are tasked with managing users must then carry out each request one-by-one in each system and application.

Thousands of hours are usually spent by IT departments carrying out these tasks. It’s not an interesting job but highly paid employees usually carry it out.

On-boarding and off-boarding slows operations
Businesses often suffer because new employees have to wait long periods for their access to get added or updated. Automated role-based access provisioning cuts this time down.

System deployment is complex and resource intensive
Introducing new or upgraded systems can take months of focused work, requiring lots of manual and costly labor to get running fully. Having to make sure that every user has the correct level of access can be overwhelming and a barrier to upgrading equipment. This can be sped up with a global overview which allow the rapid and secure deployment of such systems.

Optimizing with IDM365

Speed up system deployment
IDM365 provides a structure for managing users that will mirror your business. With a proper overview and means to create access profiles that target users within groups, new systems can be deployed more rapidly than. Some of IDM365 resource-saving features are:

  • Self-service administration and personalization including password resets
  • Increased speed and productivity through automation
  • Delegated administration that allows data owners to manage access to resources rather than handing it off to a service desk or IT
  • Role-based provisioning allowing management to assign new job functions themselves with as little as 3 clicks

Proper Account Termination
Research shows that over 40% of user access rights are not removed upon termination. These orphaned accounts represent a major process failure and increase risk exposure by a factor of 23—a staggering amount.

Focused software
IDM365 is not a complicated suite of modules. It gives you a VERY efficient control tool that enables you to streamline, and even move Identity and Access Management (IAM) anywhere you want in the organization. With it, you can ensure compliance and simplify control for highly critical internal and external systems in offices at all levels and geographies.

Compliance through IDM365

Identity and Access Management (IAM) . It provides a foundation for information security and a top-level way for users to interact with security software and comply with data policies and governances such as the Sarbanes-Oxley Act of 2002 (SOX).

Ensure transparency of complex IT systems
IDM365 provides automated processes for attestation, reporting, and segregation of duties (SoD), enabling your company to enforce policies. Transparency is further augmented by instant, up-to-date documentation and reports covering user access rights and entitlements. With access to all systems, effective governance, risk management and compliance can be achieved.

Enforce access policies
IDM365 provides a strong defense against inappropriate information access through IAM. Rapid, secure processes ensure detailed recording of changes and transactions.

Manage access through roles and attributes
IDM365 merges Role Based and Attribute Based Access Control (RBAC & ABAC) to handle user access in a way that management can understand and that looks at each user individually. As an example, two identical users may require different access if they’re at different locations.

  • IDM365’s focus on business-centric governance provides enterprise-wide control and compliance. In your sector, combining this into one system provides enormous benefits.

The IDM365 Rapid Implementation Policy

The deployment of a tool for IAM can be tedious and for many often runs over time and over budget. We have developed proprietary tools that allow us to rapidly set up IDM365 in a new environment.

IDM365:CLEAN is our analysis tool which we use to generate reports for each system involved in the implementation. These reports identify permissions that are redundant, no longer in use, or that can be removed for other reasons.

IDM365:ORGANIZE is a tool for automatically generating suggestions for role design and mapping based on the data gathered during the CLEAN process. This special software engine was developed in-house based on highly complex pattern recognition formulas.

These tools will ensure that the implementation of IDM365 stays within the agreed time and scope and adds a transparency so you are on top of the whole project.

Udgivet i Uncategorized | Tagget , , , , , , | Skriv en kommentar

Migrating DHCP From Windows Server 2003 to 2012 R2

Windows Server 2003 is reaching the end of its lifecycle (14 July, 2015). To address this concern, Microsoft provides great tools to assist organizations in their migration efforts ”Windows Server Migration Tools.”

Unfortunately this tool requires installation on both the destination and source server (NET 3.5, Powershell and the tool Windows Server Migration Tool). If you want to move a single service like DHCP it might sometimes be preferable and even faster to just simply use the built-in commands.

Below is a quick step-by-step guide to migrate DHCP from Windows 2003 to Windows 2012 R2 using netsh command.

12

Udgivet i Uncategorized | Tagget , , , | Skriv en kommentar

The y-Cloud

I have been in this business for quite some years now and things tend to go in circles – or just like fashion – the same thing pops up again with just a little twist. So what does this have to do with IT and the omnipresent cloud? The cloud has always been there; it is just a new name for a datacenter – on-premise or off-premise – what has changed is the way we should utilize the cloud, and that is more than a little twist.

cloud-solutions1

This is where the y-Cloud comes in – why should we utilize the cloud? It is all in the solutions – solutions are made up from one or more applications, which makes the solution with its associated processes and workflows. Moving servers to a virtualized platform on-premise or off-premise does not mean you have utilized the cloud – you have just moved your servers to a more energy-efficient platform; and basically this is good, but old news. But let us stick to servers – servers are expensive, maybe not to buy, but to maintain, and a lot of applications are placed on dedicated servers with average low utilization, making these less efficient and in most cases under-utilized. The different vendors of cloud technology provides technology to run applications across several servers building solutions, which utilizes the capacity of the serves more efficient and offers more flexible scalability. This is “y” we should utilize the Cloud, and as mentioned earlier, this can be done both on and off-premise. Of course; this is not done just by flipping a switch – this requires some careful preparation. Moving solutions to the cloud requires that you know what services your applications delivers and how these build your solutions. When you have documented the business processes and workflows of the solution then you can map the technology services to match. With this you will then be able to decide how and which services can be moved to the cloud. The upside to do this is that you end up with a documented solution with quantifiable services, which really is what this is all about. Some years ago we talked about service enabling solutions – Now it is cloud enabling – Does this sound familiar? So – When you talk with suppliers and vendors about y-Cloud – keep this in mind – It takes a lot of work to get there and yes it is expensive – Do they have a process for getting you ready for the cloud? Just because you can see clouds from your windows – it does not mean you have actually moved among them…

Udgivet i Uncategorized | Tagget , , , | Skriv en kommentar

Lync On-Premise vs Lync Online (Office 365)

Companies are curious to know, which of the three available Lync solutions suits them.

Implement Lync Hosted or on-premise or Office 365/Lync Online: that is the question?

To start out, the most important thing is to determine the needs of the company – and based on these needs we can identify the Lync solution that fits best.

In my opinion, and because “I love to have control and access to all features”, I have to say that I prefer Lync Hosted or On-Premise.

So we can have the following implementation scenarios:

  1. Lync Hosted or on-premise
  2. Office 365
  3. Lync Online

Following are the advantages and disadvantages of all three options.

For starters, the Lync Online and Office 365 are located online on the cloud. These solutions are low-cost, but are lacking key features that are important to many organizations.

Feature differences

Skærmbillede 2015-02-11 kl. 14.53.26

Enterprise Voice (SIP Trunk) this is only available on a hosted or on-premises installations. You must have a SIP trunking services qualified for Lync Server 2013, or with a qualified gateway.

Technical differences 

Skærmbillede 2015-02-11 kl. 14.53.43

Data Security and Privacy

Hosting Lync online release the organizations of deploying more hardware, managing licenses, and it is very easy to setup. But it can seem elusive to get access to data and find where it is stored

So please before implementing Lync Online, you must read the Microsoft EULA carefully. Microsoft has rights to all analytics, inclusive data that is stored in their datacentre. This is also depending on the privacy laws in each region. But this data is not available for you, so you don’t have the possibility to use the reporting features.

So what is the best solution for you?

As mentioned above, this depends on your needs:

Skærmbillede 2015-02-11 kl. 15.02.04

You can also take a look on the Client comparison tables for Lync Server 2013 (These tables indicate the features that are available to Lync users in an on-premises deployment of Lync Server 2013. The same features are also available to Lync Online and Office 365 users unless otherwise indicated).

Conclusion

All the Lync options are valid, so if you want to get the best option for your organization, do not hesitate to contact us, and we can design the best solution for your needs.

(Information for this post has been retrieved here)

Udgivet i Uncategorized | Tagget , , , , | Skriv en kommentar

Folder Redirection

The purpose of folder redirection is simply to move the user files, such as “my documents”, away from the local computer and onto a network share. There are several advantages to this:

  • The user data can easily be included in the centralized backup.
  • The users can use different computers, and still have their data available.
  • Offline files are configured by default for any redirected folder, so the user will still have access to their data, while away from the network.

The following folders can be redirected:

1

From Windows Vista and forward, the synchronization is done, when changes occur, so you won’t have to wait for a complete synchronization, when you log on and off.  The requirements to set this up, are pretty straight forward, you will need to have a file server, Active Directory and Group Policy management available.

File Server

The first thing to set up is the file server. As it is user data, we are redirecting, it would be obvious to use the home drive of the users, if such exists. Most companies already have this in place. If not, you will have to set up a network location, which can be used.

If user home drives already are in place, no changes are necessary, and the system can use the existing folders, as shown later. The procedure for creating new user home drives is unchanged, and the folder creation can be handled by whichever method is already in place, often an identity management system, such as IDM365.

If it is not in place, the easiest method is to let the logon procedure handle the folder creation, when folders are redirected. This way, when a user without a folder, logs on, one is automatically created. This needs very specific permissions on the share, to allow the users accounts to create their own folder, while still not having access to look in the other user folders. Set the following permissions on the share, where the user folders will be created.

  • Remove permission inheritance.
  • Remove the group “users” from the security list.
  • Administrators – full control
  • System – full control
  • Creator/owner – full control

Everyone – special permissions: traverse folder/Execute file, read attributes, create folders / append data. These permissions are set on “this folder only”.

2

When the file server is set up correctly, you can go on to the next part, the setup of group policy.

Group policy

To set up the actual redirection of user folders, we need a GPO. Either use an existing or create a new one. Edit the policy and go to user configuration – policies – Windows settings and folder redirection. Select the folder, you wish to redirect and click properties.

3

Select basic setup, if you wish to store all the user data on the same server. If you select advanced, you can redirect folders to different servers, based on security group membership.

45

If you want the logon process to create folders, then select “create a folder for each user under the root path” and point it to the \\server\sharename of the file server.  If the Active Directory already has the home drive attribute configured for each user, you can use that, or you can specify a location, such as \\server\sharename \%username%.  Go to the settings tab and select the settings that you want. You would only rarely select “grant the user exclusive rights” since this setting will remove access even for administrators.

6

Now all you have to do is link the group policy to the OU in Active Directory, where your test users are located and start testing.

Udgivet i Uncategorized | Skriv en kommentar

How to Remove / Rollback a Patch using SCCM

You may find various reasons to remove a patch from your clients and/or servers. This is one way to do so. This method will not work for OS versions older than Window 7 and Server 2008 R2.

First you have to identify the patch that you want to rollback/Remove.
In this case we use patch KB2898514 as example.

1

This method uses the Windows Updates Standalone Installer (Wusa.exe) which is built into windows 7 and above. (And Server 2008 R2 +).

Wusa.exe is located in “C:\Windows\System32” and “C:\Windows\SysWOW64” depending on which version of Windows is used.
What we need to do is execute Wusa.exe with parameters. It this case the command will be:

Wusa.exe /uninstall /kb:2898514 /quiet /norestart

Explanation of the command:

  • exe – Windows update standalone installer executable
  • /Uninstall – Switch that tells Wusa.exe to go in uninstall mode
  • /kb:2898514 – Switch that tells Wusa.exe which update to work with.
  • /quiet – Switch that tells Wusa.exe to run without user input or visible progress.
  • /norestart – Switch that tells Wusa.exe to ignore restart commands from the patch.

In a mass deployment like this will be, the /quiet and /norestart command is a good idea as the user in the other end, will not be interrupted in their work with unnecessary prompts or reboots.

Now we want SCCM to execute the command on all machines. In this case we use a Task sequence to do it, but we might as well use a package/program.

Create a custom Task Sequence. Right-click and select Create Task Sequence.

 

2

 

Select Create a new custom task sequence, then click Next.

3

Name your Task Sequence. Since we are not deploying an operating system, we don’t need to choose a boot image. Click Next.

4

At the Summary page, click Next.

5

Click Close at the Completion screen.

6

Now the Task Sequence is created. Right-click on the Task Sequence and select Edit.

7

As we created a custom Task Sequence it is created with no predefined steps.

8

 

Click the Add button at the top of the screen and select General > Run Command Line.

9

We can edit the Name of the Command Line if we want, but other than that we just need to fill in the command line in the ”Command Line:” box. Click OK when done.

10

Now we need to deploy the Task Sequence to the collection of computers that needs the rollback.

Right click on the Task Sequence and select Deploy.

11

Choose the desired computer collection and click Next.

12

We have to choose if the rollback should be required or available. In this case we want to remove the patch on every machine, so we choose required and the patch will be remove automatically. If we would like the users to choose if they wanted the patch uninstalled, we will choose available, then the user would have to start the Task Sequence manually.

Click Next to proceed.

13

Because we’re deploying it as a Required deployment we need to add an Assignment. Click the New button to add either a Schedule or an Event assignment. Under “Assign immediately after this event” we choose “As soon as possible” and click OK and Next.

14 15 16

Leave this page as default and click Next.

17

Leave this page as default and click Next.

18

Leave this page as default and click Next.

19

Click Next.

20

Click Close and we’re done!

21

 

 

Udgivet i Uncategorized | Tagget , | Skriv en kommentar

What is Segregation of Duties?

Segregation of Duties, or SoD, is primarily used to prevent any user from being able to wield too much power, to the point where their permissions allow them to circumvent normal approval processes. For example, when dealing with sensitive data, no one should be able to both make a request and, at the same time approve it, acting as both requestor and approver. These types of permissions should be mutually exclusive so that users maintain a level of accountability.

Identity Management makes it easy to manage Segregation of Duties in your business, and IDM365 reports which codifies the different roles and user entries, so it can be proved if governed.

Udgivet i Uncategorized | Tagget , , , | Skriv en kommentar