Identity and Access Management community: Discover and share best practices to control IAM for your real world.
I'm pleased to announce the immediate availability of Dell One Identity Cloud Access Manager 8.0. This major release is a significant update to our web single sign-on, web access management and identity federation solution. And in a way, it includes a "little something for everyone" - meaning it has new capabilities in many different focus areas, including business-to-consumer (B2C) deployments, strong authentication scenarios and in-house application development.
Adaptive, Risk-Based Authentication
With all the news these days about security breaches - and so many of them involving stolen passwords - its no surprise that strong authentication (the use of two-factor authentication solutions, smartcards, X.509 certificates, etc.) is seeing a resurgence in importance. By requiring something besides a username/password to access applications, security professionals can better protect their enterprise data. At the same time, no one wants to unduly limit productivity - indiscriminately putting barriers between users and their work is an equally risky proposition.
The best approach to employing strong authentication for web applications is to do so with an awareness of context - information like "is the user using a browser they've used before" or "is this a physical location and time of day typical to the user's login history." These context data elements can be used to assess how risky an access request is - how likely it is the person on the other end is your user, and not an attacker.
CAM 8.0 ships a new component called Dell's Security Analytics Engine, whose job it is to assess these very context elements, and provide CAM with the ability to adapt to heightened risk by asking that a user present a second factor of authentication, or by blocking the user altogether. Dell's Security Analytics Engine can work on its own, or it can optionally leverage information from complementary Dell solutions like SonicWALL network security appliances or SecureWorks threat intelligence data. And CAM can apply these risk policies to individual high-risk applications, or to the entire application environment.
Users forget passwords - but not all passwords are equally likely to be forgotten. A user is much more likely to recall the AD password they to use to access the network each day than they are to remember a password to a less-frequently-visited internet site. This is why social authentication - authenticating to internet sites with Facebook, Microsoft LiveID, etc. credentials - has become so popular. Social authentication allows endusers to remember fewer passwords, and that is extremely valuable to end users.
CAM 8.0 now supports the OAuth 2.0 protocol as a client, which enables endusers to authenticate to the centralized authentication infrastructure using credentials from popular social web sites. In an important twist, since social sites seldom hold the kind of data used by organizations for determining roles and application permissions, CAM presents an "account linking" process so that authorization can be driven from internal data, while authentication can be outsourced to a password users are more likely to remember. This may be appealing, for example, to education institutions targeting alumni, or to organizations running "portal" environments for customers or partners.
Mobile Application Development
For organizations with their own IT development group, modern application development is seeing a different kind of resurgence - the resurgence of "rich client" applications. Specifically, organizations are now prioritizing the development of native mobile applications (apps that don't run in a browser, but instead natively in a mobile device OS) as first-class citizens on par with - and sometimes ahead of - web application interfaces.
CAM 8.0 introduces support for the modern protocols used most for mobile application development, namely OAuth 2.0 (this time as an authorization server) and OpenID Connect. Unlike the Security Assertion Markup Language (SAML) protocol popular with web apps, OAuth 2.0 and OpenID Connect were developed with native apps and REST-based interfaces in mind. With this support, organizations deploying CAM can leverage their existing web application authentication infrastructure with this class of applications, as opposed to writing all the access control logic "from scratch" like they did for web applications a decade ago.
There's even more new in Cloud Access Manager 8.0, but this post is getting too long! I encourage those interested in learning more to visit CAM's web page, and to post here if you have any questions.
If you look at the security breaches that have been in the news almost weekly over the past several months, they all have one thing in common — someone was able to get their hands on stuff they should not have been able to access and were able to do lots of damage acting as a “superuser.” Ask yourself, how much damage could someone do to your employer if they got hold of your corporate credentials? Probably not that much. Maybe they could pretend to be you and request changes to your organization’s website, or they could blog as you and say mean things about your boss. Or they could send out a companywide email full of slanderous gossip… But none of those would bring your employer to its knees.
Download and read Identity and Access Management for the Real World: Privileged Account Management, to learn about a unified, real-world approach to privileged management.
Now ask yourself: what if I was a system administrator and I had access to the root account on a critical server that housed all of our customer data, or maybe the secret design plans for our next revolutionary IAM solution? And what if one of those bad guys was able to get hold of that type of access? A breach like that could have you acting out the famous scene from “Ghostbusters”: “A disaster of Biblical proportions… Fire and brimstone coming down from the skies! Rivers and seas boiling! Forty years of darkness! Earthquakes, volcanoes… The dead rising from the grave! Human sacrifice, dogs and cats living together… Mass hysteria!” Okay maybe not that bad, but you get the point.
But there is hope: watch this privilege management video to learn more. Technologies exist that can overcome all of these shortcomings, and most organizations are using one or more of them. But therein lies the problem… How disjointed are the solutions being used, and what’s falling between the cracks? Here are a few videos that talk about some of these solutions:
If you read any of the previous “Identity and Access Management for the Real World” chapter, you know that I am on this soapbox about unifying, simplifying, and implementing IAM solutions with an ideal end state in mind. My mantra, is “future-proof your IAM, so you don’t have to keep going back to the well.” This is just as true for privileged account management as it is for access management and identity governance. This video offers a nice overview of how to control superuser permissions.
Each year, Gartner Inc. analyzes every vendor in the Identity Governance and Administration market. Their research has particular significance because it often identifies the innovations that drive the market. As part of that report, Gartner also releases the Magic Quadrant, which shows the relative positions of the market's competitors. Dell is honored to be recognized as a Challenger in the Gartner Magic Quadrant for 2014.
Magic Quadrant for Identity Governance and Administration Source: Gartner (January 2015)
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from https://software.dell.com/reglanding/2796/.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
If you read Chapter One of Identity and Access Management for the Real World, you learned of a proposed “maturity model” for IAM. Just to summarize, I likened your IAM journey to Maslow’s Hierarchy of Human Needs with the pinnacle being governance.
Until access, security, control, and management are taken care of, governance is a near impossibility. That’s why the governance chapter of IAM for the Real World follows the access management chapter. If you are struggling to manage access, you will REALLY struggle to achieve governance.
There are all kinds of technical and jargon-laden definitions, but I like to describe it this way: Governance is making sure you do things right. So from an identity governance standpoint it means making sure that the right people, have the right access, to the right stuff, in the right way, with all the other right people saying that it is OK that it’s happening that way.
And then there’s what should be governed. There are three major categories where identity and access governance (IAG) come into play, and no project is complete if all three are not addressed.
End user access to applications
End user access to data
Administrator access to privileged accounts
But it gets hard when you start to consider what all of those rights actually mean in your real world. And it gets really hard when you have to define right over and over again, for the same people but on different systems or for different access scenarios. All of a sudden right might not be quite so right. And when governance is an afterthought – tacked on after the fact – it becomes just another area of additional complexity, raising costs, and potential failure. On the other hand if your access management tasks are performed with a governance mindset, and with governance-enabled tools, the journey up the pyramid is simple and painless. Watch this video on how line-of-business personnel can actually be at the front lines of governance through attestation/recertification.
Put in simple terms, if provisioning is done without an eye towards governance or governance is imposed on an existing and flawed provisioning implementation, you’re in for a bumpy ride. And if your access governance solution can’t cover data and/or privileged accounts, that’s just one more layer of technology and one more solution that must be deployed, supported, and paid for.
So governance for the real world considers all the rights that are in play across all access types, all user populations, and all systems. And it is tightly coupled with the foundation for everything – provisioning. Watch this video to learn more about provisioning and governance. Here’s a short video on the Dell One Identity approach to identity governance
To learn more about this real-world approach to governance, download and read Identity and Access Management for the Real World: Identity Governance.
I am pleased to announce Dell One Identity Manager was recognized as a 2015 SC Awards Finalist for Best Identity Management Solution
Products in this category address the identity management lifecycle in an enterprise environment, including:
Read the full article
In my last blog about the "Identity and Access Management for the Real World: The Fundamentals", I gave some pointers on front-loading your IAM project for success. Today I’d like to delve into some specifics of what you may be trying to accomplish with your IAM project, as well as some common barriers to tactical success. Finally, I'll leave you with some more ideas to help you succeed where so many others may have failed.
Today we’ll talk about access management, which is covered in Chapter 2 of the ebook series: Identity and Access Management for the Real World: Access Management.
The whole purpose of identity and access management is to grant people the access they need to do their jobs, but to do it in such a way that security and compliance are maintained. It’s a lot easier said than done. Just ask yourself a few questions:
If the answer to any of these is not “one” or “it’s easy and works seamlessly with what I already have in place"; then yours is like most IT organization. It's not a question of whether a "real world" approach to IAM can help; the issue is “where do I start?”
Reduce the number of passwords - This can be done through consolidation of directories and identities and through single sign-on (SSO) technologies. Don't settle for a solution that addresses one area while leaving others untouched. The ideal SSO approach will provide for each of your diverse target systems. Here’s a short video that talks about this real-world approach to single sign-on.
Automate as much as possible - This will relieve IT of the time-consuming and error-prone burden of manually managing identities and access across diverse systems. Most IAM solutions are all about automation, but unless you implement with an eye on unification and consolidation, you could end up automating the same thing on different systems, with different tools.
Get the biggest bang for your buck - If you can get Active Directory right, pulling as much into AD as possible, you will free up lots of time and money to focus on other areas. Here’s a video about using AD as a starting point. Here’s an active directory management video that shows some of the ways you can use AD-specific tools to open up bandwidth for larger IAM initiatives.
Keep your eye on the prize - Never forget the goal of your IAM project: you need to ensure that everyone in your organization can get to the things they need to do their jobs, and that none of your important stuff falls into the wrong hands. Stated another way, you need governance. Don’t miss the forest for the trees by getting bogged down in the tactical problem of the day. Keep your eye on the strategic purpose that drives the whole thing.
For a more in-depth discussion of access management and the real-world approach that I’ve been talking about, download Identity and Access Management for the Real World: Access Management. And keep your eye on this space for additional insight into making your IAM project perfect for your real world.
Anyone that is associated with tech these days has heard the term “Big Data.” This term can refer to many different technologies, methods, and concepts. One technology that Big Data refers to is NoSQL. NoSQL is a database technology that provides a radically different method of storing and retrieving data than a traditional rational database like Oracle’s DBMS. This gives NoSQL performance advantages when used in certain datasets. The most popular NoSQL database is MongoDB. MongoDB is used by over 2,000 organizations, including a 1/3 of the Fortune 100, to solve their company’s information problems.
When a new technology emerges businesses will first evaluate the technology to verify its value. Once that is done the business looks to add security controls. According to Gartner’s 2013 Big Data Survey, a full 27% of respondents put security as a challenge. With the enterprise adoption of MongoDB, business are looking to incorporate the same security controls they are accustomed to with their traditional DBMS.
Today we are happy to announce a technology integration with our friends at MongoDB. With the assistance of Alex Komyagin at MongoDB and our own Kyle Robinson we provide a step by step guide to integrate Authentication Services with MongoDB. Previous to this integration MongoDB customers did basic LDAP type integrations that did not leverage the power and flexibility of Active Directory. Using Authentication Services, customers can take advantage of all the benefits Active Directory offers as a directory service. This integration allows our customers to enjoy two industry leading technologies, MongoDB and Authentication Services, all while reusing a proven security infrastructure.
More information can be found on MongoDB's site or the Dell Software Knowledge Base
For years, identity and access management (IAM) has been seen as the project of denial, restriction, limitation and sometimes failure. The processes and technologies required to enhance security seemed also destined to stifle collaboration and interfere with revenue-generating …blah blah blah. Let me boil it down for you.
Fundamentally, you’re probably in one of several camps
1) You have lived through or are living through an IAM project gone wrong
2) You’re new to IAM and / or
3) You’re trying to secure funding for your security / IAM project
The high-quality, completely-over-produced graphic to the right depicts your challenges.
Dell has a plethora of content to help people in the upper right. Basically, that answer is “what’s your pain?” Is it two factor authentication? Single sign-on? Privileged accounts? We have you covered. Our latest white paper deals with the upper left quadrant.
Learn how you can position your security / IAM project as a business enablement tool. Looking at the project through the lens of the business owner, you’re likely to find additional sources of funding for those IT organizations that might be wary of investing further in IAM where they may have already “touched the hot stove several times.”
If this sounds like you, I recommend you take a read. It’s quick and interesting, even if I have to say that because I wrote it. Also, if you do read it, I’d appreciate your feedback. Thanks!
I spend way too much of my time thinking about identity and access management (IAM). I guess it’s what pays the bills, so that’s a good thing. I get paid to write about, talk about, and evangelize the Dell way of doing IAM.
I’ve written a little book called Identity and Access Management for the Real World. Chapter One: The Fundamentals delves into the basics of IAM, the challenges we all face, and some recommendations to overcome those challenges.
Unlike many of you, if I mess something up I just look like a fool … no one really gets hurt, my employer doesn’t suffer significant damage, and there’s no headlines warning everyone of the dangers of doing business with me or my employer.
These tenets aren’t universal; there are organizations that have everything nailed down and have all the right people doing the right things and are able to prove it. But there are many more (possibly you and your organization) that are struggling with one or more of these factors. That’s just the way it is. Here’s a short Identity and Access Management video that discusses one company’s struggle with, and solution to this complexity problem.
I think the reason we have these problems is that we’re spending so much time putting out fires that we haven’t been able to purge the dead undergrowth to prevent the next fire from spreading out of control. After all, when you find a weakness or experience a breach, you must immediately find a solution to that problem. And the fastest solution may not be one that has anything to do with the preventing the next fire that will inevitably ignite. We end up with a bunch of disjointed access methods, a jumble of ways authorization is defined and enforced, and lots of productivity-sapping hoops that end users and IT have to jump through just to do their jobs – all in the name of better security. The victim is business agility (and isn’t that what we’re all in business for in the first place?)
Reduce complexity where ever possible. Take advantage of existing tools and infrastructure whenever possible to reduce the need for new identities, new provisioning workflows, and new IT tasks to simply grant users access. A great example of this is the AD bridge – simply extending Active Directory authentication and authorization to Unix/Linux systems has proven to dramatically reduce the workload and risk of access to those systems.
Put the business in charge. We all love our IT departments but they should not be the ones making decisions on who should access what and under what circumstances. But they are precisely the ones that most often control these things simply because they know how to manage the systems and the accounts. Do whatever you can to return that control to the ones that are accountable for the data stored and used on those systems.
The little book I've written goes into more detail on this future-proof approach to IAM. Subsequent chapters discuss the specifics of governance, access management, privileged account management, mobility, and even IAM as a service. I’ll be writing about those topics in the coming weeks.
January 27, 2015 | 1:00 p.m. Eastern / 10:00 a.m. Pacific For years, identity and access management (IAM) has been seen as the project of denial, restriction, limitation and sometimes failure. The processes and technologies required to enhance security seemed also destined to stifle collaboration and interfere with revenue-generating work. In fact, at times, the processes forced employees, partners and customers to spend precious time searching for ways to circumvent the IAM infrastructure in order to do their jobs. The next generation of IAM solutions is changing this perception. Attend this live event with Carol Fawcett, Executive Director & Chief Information Officer at Dell Software, to learn how these new modular and integrated IAM solutions better enable business. Attendees will learn how the latest IAM solutions:
Register today!About the presenter: Carol Fawcett is Executive Director, Mergers & Acquisitions and Chief Information Officer for Dell Software Group at Dell. She is responsible for leading and driving Dell Software’s overall strategic information technology vision, enabling the company to align, leverage and capitalize on the biggest trends in security, mobile, analytics and cloud. Carol has more than three decades of experience serving in IT leadership roles. Prior to joining the Dell Software team Carol held positions at Quest Software, Western Digital, Coldwell Banker and Pacific Mutual.