Identity and Access Management community: Discover and share best practices to control IAM for your real world.
Read full press release
Dell Software today announced that Radboud University, a leading Dutch academic community, deployed Dell One Identity Manger to gain control of both access governance and provisioning, reducing by 50 percent the time it takes students to complete the enrollment process. While many identity and access vendors require customers to choose between provisioning and governance, Identity Manager addresses both, enabling the university to create an efficient and effective identity and access management strategy that will serve for years to come.
In addition to being a leading academic community, Radboud University is home to several research institutions and is affiliated with one of the largest academic hospitals in the Netherlands. As such, the organization manages a constantly changing user population of 45,000-50,000, including students, faculty, alumni, independent researchers, contractors, and others. With a continually changing population, the university faced several challenges including "entitlement creep," which occurred as users changed roles. Access required for their new roles was added, but access they needed for their old role was not always terminated, creating risk by giving large numbers of users access and entitlements beyond what they needed.
With 10,000 students entering and leaving the university every year – students becoming alumni at graduation, and new students needing speedy enrollment in the fall – the university also needed to make real-time changes to students’ access rights. In addition, steady updates to national laws and business requirements regarding access made it necessary for the university to have a solution that enabled them to make those changes quickly and easily.
The school found it difficult to manage all of these challenges with its legacy Sun Microsystems IDM solution without a significant increase in staffing. In addition, an uptick in data leaks at Dutch institutions in general caused university officials further unease. Because the university handles a great deal of sensitive data, including personal information, bank account information and research data, Radboud officials were particularly concerned about the potential cost to reputation and finances if a leak occurred due to inappropriate access.
Gaining control of governance and provisioning, while increasing user satisfaction and decreasing IT workload
Working with Dell implementation partner Intragen, Radboud University evaluated the market’s identity and access management solutions, and chose Dell One Identity Manager to address its multiple IAM needs. Completeness of solution was critical to the university’s solution choice, and Identity Manager was selected for its ability to address both provisioning and governance needs, unlike the university’s legacy solution. Using Identity Manager, Radboud put an end to entitlement creep, and enabled real-time changes to user access settings, ensuring the right people had the right access to the right data and applications. The solution also addressed the university’s unique and complex user environment, enabling the management of users with multiple roles (i.e., an alumnus who is also a faculty member) by linking each user’s roles to one identity.
With Identity Manager, the university has cut the time required to provision a new user in half, and because processes that previously were done on a nightly basis can now be done on a near real-time basis, enrollment time has also has been reduced from two or three days down to one. Combined with the solution’s self-service options for users, these features have both improved user satisfaction and decreased IT workload.
With its provisioning and governance needs addressed, Radboud University now has the security it needs to protect itself from data leaks, and resultant damage to its reputation and financial bottom line. With Identity Manager, the university is set to effectively manage identity and access today, and can grow the solution to meet its needs in future years.
During the summer between my eighth and ninth grade years, I worked at the local elementary school as a janitor. My job, along with one other kid was to clean the school from top to bottom to get it ready for the next school year. It seemed like the majority of the summer was spent washing desks and chairs. This other kid and I discovered that our keys worked on the school library, so we wheeled out the color TV and, while we scraped gum off of the underside of desks and chairs, we watched whatever was on the three broadcast networks or PBS. So we ended up watching a lot of soap operas, talk shows (Mike Douglas anyone?), and game shows.
We discovered a game show called Match Game (I guess this would have been Match Game 77 or 78) and it quickly became our guilty pleasure. If my mom had known I was watching this irreverent, and slightly proactive (at least for a 14 year old) show, I’m sure she would have demanded I quit the job, or promise to only watch the PBS channels while at work.
Match Game was hosted by Gene Rayburn and involved a panel of six celebrities (I assume they were celebrities, but I only ever saw them on this show) who would try to match their answers with those provided by the two contestants. The questions were always formed as a fill-in-the-blank question that left lots of room for off-color answers and double entendre:
“Johnny always put butter on his “
“Did you catch a glimpse of that girl on the corner? She has the world’s biggest “
“Whenever our family goes to the church picnic, our favorite activity is “
As you can imagine, hilarity often ensued.
Invariably, if given the opportunity, mainstay “celebrities” Brett Summers, Nipsy Russell, and Charles Nelson Riley, would use the “making whoopee” answer, which was sure to elicit uncontrolled laughter from the audience, and blushes from a pair of 14 year old janitors.
So what does this have to do with identity and access management?
We recently contracted a through survey of companies with more than 1,000 employees across a wide range of geographies and industries. The questions focused on those companies’ current approaches, future plans, and challenges with IAM. One question in particular seemed ideally suited for the Match Game treatment.
“My most pressing and immediate IAM need is “
To my disappointment, “making whoopee” was a statistically insignificant answer, but the real answers from these real organizations revealed some interesting results. From the most popular answer to the least, respondents said:
That’s only a nine percent difference between the most common need and the least common. By diving a little deeper into the possible reasons people selected the answer they did, I see two drivers at play at virtually every IAM project.
First, there is a compelling need to make sure that the right people have the right access to the right resources in the right way and that all that stuff is done right. Basically access control and governance over access is driving the largest number of IAM projects. That makes sense.
Second, there is an undercurrent of trying to accomplish access control and governance in the most efficient manner possible.
So why is this all so hard? I think it boils down to the way IAM has traditionally been addressed. Going back ten years of so, IAM was all about custom-building solutions to address the unique access needs of each organization and their unique user populations. For a long time that was the only way it could be done. But it invariably resulted in bloated IAM projects that ran way over budget, never reached conclusion, and required myriad point solutions to plug the holes. IAM becomes more complex and more of a barrier to business agility than an enabler.
That was then, this is now.
Solutions exist today (and I’ll use the Dell One Identity family of IAM solutions as an example) that provide all the access control necessary, but do so in a manner that actually simplifies things, delivers rapid time to value, does not lock the organization into a rigid, expensive, and limited technology framework, and can easily expand and adjust as needs change.
So if securing user or administrator access is on your radar. Or if the current way you secure access seems to be preventing business agility, I recommend you look into the Dell One Identity family of solutions. You can learn more by reading the ebook series Identity and Access Management for the Real World.
And if I get inspired to reminisce about more adolescent game show moments, I might just blog about more survey results.
Another week, another security breach at a name brand retail establishment. I heard about this latest one in the news, just like all the others. And then the letter came. From my bank. Telling me my credit / debit card had been hacked. They deactivated it and were going to send me a new one in seven to ten days. This is the third time in four years for me that an account of mine has been hacked. So I went for a jog and started thinking.
Let’s be clear, when I start thinking, things don’t always go well.
What I struggle with as it relates to security is that everyone is spending more and more time and more and more money, but not making any progress. The reports of major breaches seem to be coming more frequently, not less. Are businesses less secure than they were before despite the increased investment? Or are the hackers just smarter than ever?
Personally, I don’t think any of this is true. And this is where it gets weird. I believe there is a connection between the way businesses ought be thinking about security and raising kids.
You see, with kids, parents move from one strategy to another. If a set of young parents has a single child, they can play man-to-man defense. For those of you that don’t know, a man-to-man defense is an American football defensive scheme where you align each of your defensive players to a single offensive threat such as a wide receiver or a tight end. In the parental vernacular, while one parent cooks, the other can localize the damage the little angel can inflict to a single room, say the family room.
With two or more kids, parents have to move to a zone defense. In a zone defense, each defensive player is assigned an area on the field and as an offensive threat enters their area, they are responsible for covering the person. In this configuration, parents let the little hellions loose around the house and simply try to protect the china in the dining room.
From my perspective, businesses today believe they are in a man-to-man situation where they are trying to protect each and every little detail of their infrastructure. I think they would be more effective using a zone defense. So how would that work? Here’s a playbook.
1) What do you really need to protect? To be clear, you can’t walk away from perimeter defenses like next gen firewalls or encryption technologies. But face it, that’s the kind of stuff that organizations have been obsessing over and the breaches continue. So invest there but perhaps move what limited resources you have to focus somewhere else. But where? What are your businesses’ really important IT assets? What are the critical apps? Which data (structured, unstructured) must absolutely be protected? For sure, customer information, PHI, PII, stuff like that. But forward looking marketing plans? I don’t think so. Sure, there’s industrial espionage but does anyone really believe that a soft drink manufacturer is trying to steal the credit cards from a home improvement superstore? No, that’s not happening. The point is that not everything needs every bit of security focus.
2) Not if, but when? That’s right. Someone, somewhere is probably trying to breach your security scheme right now. If they are motivated enough and have enough money, they will probably succeed. Your best bet is to limit the exposure; mitigate the risk. How do you do that? Simple. Control access. Hackers are in constant pursuit of credentials, ideally with elevated or privileged access. If you own this upfront and tightly control what each and every credential has access to, you have solved 50% of the problem. Make sure there are no shared admin accounts. When an employee leaves, CUT THEM OFF. When they change jobs, change their access to match their new job and eliminate the access from their previous role. This is ZONE in the ZONE defense. Isolate access to only what the user / credential needs
I contend that taken together, this zone approach will offer more security to the most valuable assets given the resource and financial constraints we all face. Stated another way, this strategy can be summed up as “find the china, protect the china.”
Many organizations are seeing surges in the amount of unstructured data in their environments, even as new data breaches come to light every week. As a result, those organizations face increased audit and regulatory pressure regarding loose access controls over unstructured data that might contain sensitive information such as Social Security numbers, credit card data, health care information and proprietary data.
Written by Randy Franklin Smith, president and CEO of Monterey Technology Group, Inc to discover:
Read the whitepaper
Last week we did a web seminar with Randy Franklin Smith about understanding Pass-the-Hash (PtH) attacks and how to prevent them. We recently released a white paper on the subject as well. So weather you are the type that likes to curl up at night with a spot of tea and read a nice book or prefer to have a Mountain Dew and stay up late watching you tube videos we have the perfect media format for you to start learning more about PtH and solutions from Dell that can help you mitigate the risk of an attack.
Watch the webinar
Read the white paper
Back when I didn’t have much of a life, I would rush home from junior high school so that I could get the TV on in time to watch Family Feud (the classic Richard Dawson version not the watered down Steve Harvey or Louie Anderson versions). I always loved it when the top answer would flip over, the bell would ding, and something like 80% of respondents all gave the same answer, and the contestants would struggle to find out what the other 20% said and inevitably get their three strikes and be out.
Well, here at the home of Dell One Identity, we’ve got our own version of Family Feud going. Only I’m not going to kiss each female, I don’t have wide lapels or a gaudy fat tie, and three strikes doesn’t get you a home version of our game and a year’s supply of Rice a Roni.
Recently we concluded a pretty through survey of companies with more than 1,000 employees asking all about their current approach, future plans, and challenges with identity and access management (IAM). The companies surveyed represented a good cross-section in terms of geography, industry, size, and approach to IAM. I’ll be blogging about the results over the next several weeks.
We asked the question:
“Do any of the following describe your organization’s opinion of IAM?” and offered several typical responses to choose from (and unlike the real Family Feud, respondents could select more than one answer).
So what did the survey say?
38% said IAM is expensive – I hear that all the time.
28% said IAM is hard – that one too.
13% felt that they have a mature approach to IAM with very little room for improvement (I’d like to meet these people, either they define IAM very narrowly or they are lying to themselves).
But perhaps the most telling answers were a tie for the most popular response:
51% agreed with the statement “IAM is complex” while 51% also agreed with the statement “we feel good about our approach to IAM but with a little work we can make it better”. So what gives? Is IAM complex or do you think IAM is OK, but like everything else has some room for improvement? To me this says that the majority of people agree that IAM is complex – after all, it’s an attempt to get your arms around the complexity of diverse systems and user populations. But the same percentage also feels good about their approach to IAM. I interpret this to mean that most people feel that IAM is necessary, it is complex, and that’s just the way it is…you better just accept the fact and do the best you can. That’s kind of sad … at least to the extent that something like IAM can elicit an emotion.
If you look at “traditional” approaches to IAM (the ones referred to by the 19% of respondents that agreed with the statement “You can only get IAM from a handful of platform vendors”), then yes IAM is complex and yes that’s just the way it is (by the way it’s also expensive and hard through these legacy solutions). But the new approach to IAM – the approach that we like to refer to as IAM for the real world – busts this myth pretty thoroughly.
With IAM for the real world, identity governance, access management, and privileged management can all be addressed with simple, modular and integrated solutions that deliver rapid time to value and actually reduce the time and money required to achieve demanding IAM objectives. IAM for the real world places the visibility and control in the hand of the right people (those that know why things need to happen a certain way not those that simply know how to perform administrative tasks on a particular system).
The Dell One Identity family of solutions has real-world answers to the concerns expressed in our survey.
Stay tuned for more results from the survey. But in the meantime, if you want to understand the right way to do IAM and decide where it’s right for you, I invite you to read the ebook series Identity and Access Management for the Real World.
If I told you today I would cover all your expenses and you could choose between a Novell CNE or a Microsoft MCSE certification, which would you choose? I’m guessing a snap decision through today’s lens would be easy. Back when I had this choice, the answer wasn't so obvious. In fact, I ponied up for my CNE.
Before I start defending that call, let’s just say it’s all moot now. The CNE helped open a door but I never really put the training into practice. One day I was muttering about IPX/SPX and the next day I was on the command-line learning Sun Solaris. The why is a story for another day but Solaris and I bonded over the better part of the next decade.
In those times it wasn't uncommon to use telnet, especially for dev systems. Not just telnet, we had dev systems still running the r* protocols. Of course, at one point in history it used to be optional to wear a seat belt. Nowadays we buckle up when we drive, and we don’t use telnet. That brings us to Secure Shell (SSH). Let’s put our seat-belt on and look at a recently published NIST draft titled “Security of Automated Access Management using Secure Shell (SSH)”. The 41 pages cover topics including SSH basics, vulnerabilities, recommended practices and guidance on planning and implementation.
Let’s focus on user authentication. The NIST draft gives a nice overview of the various supported authentication options with SSH. For the Kerberos option...we've seen the popularity of this option grow over the last decade. Dell provides a solution that allows Unix systems to integrate with Active Directory.
The integration of Unix with Active Directory opens several new avenues like using Group Policy to managing Unix (and Mac) machine/user settings and eliminating the need to provision local users for Unix/Mac access. In the context of SSH, joining Unix to Active Directory enables a scenario where an administrator can authenticate to their Windows desktop, open a popular SSH client like PuTTY, and get direct single sign-on access to a remote Unix system. No more typing a username/password for access as the SSH client and server take advantage of the underlying Kerberos infrastructure.
The NIST draft rightly points out the potential for unwanted implicit trust relationships when using Kerberos. However. Most all current AD Bridging technologies provide a solution in the form of granular host-based access control. The solution enables an administrator to dictate precisely which AD user is permitted to authenticate to which system. SSH is not directly enforcing the solution but the concern over unfettered implicit trusts is mitigated thru the host-based access control mechanism.
Another common question that comes up when using SSH with Active Directory integration: If I choose to use SSH key pairs for authenticating an Active Directory user, what happens if I need to disable the AD user’s access?
In this scenario, SSH is configured for Public Key Authentication via keys. However, instead of the user being local to the /etc/passwd file, the user account is actually located in Active Directory. This is possible as the AD integration solutions typically provide both PAM and NSS modules. When properly configured, if you disable the Active Directory user account, and the user account was authenticating via key pair, the user authentication will be denied. This happens by design when PAM properly supports the session check – regardless of how the user authenticates, the PAM session check will catch that the AD account is disabled and therefore deny access despite having a valid key pair.
The NIST draft is worth an overview if it’s been a while since you reviewed your SSH implementation. And if you have a good tip for automating SSH access where passphrases are enabled on public/private keys, please share.
There's a lot of talk about "pass-the-hash" (PtH) attacks going on. Just type "pass the hash attack" into Google and start exploring - you'll get your fill quickly. Let's start with a quick synopsis of PtH from Wikipedia's definition which you can find here:
Any system using LM or NTLM authentication in combination with any protocol (SMB, FTP, RPC, HTTP etc.) is at risk from this attack. The exploit is very difficult to defend against, because there are countless exploits in Windows and applications running on Windows that can be used by an attacker to elevate their privileges and then carry out the hash harvesting that facilitates the attack. Furthermore, it may only require one machine in a Windows domain to not be configured correctly or be missing a security patch for an attacker to find a way in. A wide range of penetration testing tools are furthermore available to automate the process of discovering a weakness on a machine.
There is no single defense against the technique, so standard defense in depth practices apply - for example use of firewalls, intrusion prevention systems, 802.1x authentication, IPsec, antivirus software, full disk encryption, reducing the number of people with elevated privileges, pro-active security patching etc. Preventing Windows from storing cached credentials may limit attackers to obtaining hashes from memory, which usually means that the target account must be logged into the machine when the attack is executed. Allowing domain administrators to log into systems that may be compromised or untrusted will create a scenario where the administrators' hashes become the targets of attackers; limiting domain administrator logons to trusted domain controllers can therefore limit the opportunities for an attacker.The principle of least privilege suggests that a least user access (LUA) approach should be taken, in that users should not use accounts with more privileges than necessary to complete the task at hand.Configuring systems not to use LM or NTLM can also strengthen security, but newer exploits are able to forward Kerberos tickets in a similar way. Limiting the scope of debug privileges on system may frustrate some attacks that inject code or steal hashes from the memory of sensitive processes.
As stated in the Wikipedia definition there is no single defense against this technique. Furthermore, if you are familiar with defense in depth practices there are a number of things that you, Mr./Ms. IAM Guru, may not have control over like firewalls, intrusion prevention systems, etc. If we assume you have some control over identity and management what can you do to help prevent PtH attacks?
One thing I would like to emphasize is that it is not possible to protect yourself 100% from this or any other type of attack so don't get wrapped around the axle too much about this. If you really need 100% protection the best thing to do is disconnect from the Internet, don't allow employees to take their laptops home or while traveling - right, fat chance. There are, however, a number of basic things that you can do to better protect yourself. Additionally, there are software solutions that can also help. Microsoft has published a number of documents about pass the hash that are worthwhile reading including: Pass-the-Hash and Other Credential Theft and New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks. A few of the most basic things you can do to protect yourself include:
We developed our Privilege Safe solution to help our customers protect sensitive administrative credentials including for Windows. Privileged Password Manager automates, controls and secures the entire process of granting administrators the credentials necessary to perform their duties. Privileged Password Manager is deployed on a secure, hardened appliance that can only be accessed via a secure, role-based Web interface that provides protection from host admin attacks, as well as OS, database or other system-level modifications. The appliance also has an internal firewall that protects against external network-based attacks and provides additional auditing capabilities. One of the additional features we have just added to this product is the ability to disable privileged accounts when they are not in use by an authorized individual. Not only do we randomize the password as it is checked-in but we also disable the account to further prevent unauthorized access while the privileged credentials are not in use.
Like most things related to security you have to trade off some convenience for better piece of mind. There's lots of great information at Microsoft's web site on protecting yourself from pass-the-hash attacks that you should familiarize yourself with. In addition, Dell's Privileged Password Manager can add an extra layer of protection to your environment.
Interested in learning more about pass-the-hash and the steps to mitigate it? Join Randy Franklin Smith for a one hour webcast where he will decrypt some of the "hash" in the pass-the-hash topic. Register today.
Summer is coming to a close. Children are going back to school, the leaves will be changing sooner than later, and college football is just around the corner. As another great summer comes to a close I want to share what I learned during my summer vacation and how that can help you protect your iDRAC and other out-of-band management systems.
Every year we take our ATV’s to a section of wilderness and explore the different trails in that region. This year we decided to explore the trails in Southern Utah. During one of our trips the coolant hose on my ATV came loose and started leaking without my knowledge. I went the whole day with antifreeze slowly leaking out of my machine. That night my father spotted the leak. We fixed the hose, topped off the coolant, and rode the rest of the week without incident. Lucky for me I had someone to help spot the problem and resolve it before I ended up getting stuck in the mountains of Utah with a broken down machine.
Just as my father helped identify the leak on my ATV let me help you identify the security leak that can come from unmanaged Privileged Accounts from your iDRAC. On most modern day servers from Dell there exists an iDrac. Other server vendors ship similar remote management adapters. This feature allows servers to be monitored for critical hardware problems, enable remote power control, and access a virtual console so you can work remotely on your servers without being near your server.
Each iDRAC or remote management adapter comes from the factory pre-configure with a username and password. Most can be found by a basic web search and others can be found conveniently attached to the server. If attackers gain access to this management interface your entire data center can be powered down in minutes causing a massive Denial of Service Attack or worse, the attacker can pull data off the system by enabling verbose logs and monitoring what your administrators are doing on the console. If you experience any of these attacks you will wish that you were stuck in the middle of the wilderness rather than face your management or the SOX, PCI, HIPAA, or NERC auditors that would be visiting your company.
With Dell One Privileged Password Manager you can fix the security leak from Privileged Accounts that your remote management adapters are experiencing. You can start rotating passwords so the root iDRAC user will never know who “calvin” is anymore. Administrator, admin, userid, and others from remote management adapters will be secured and you can rest knowing that your servers are protected from another potential security threat. Along with this protection you will have the ability to audit users that request the root account on iDrac and you will be able to produce reports to show you are satisfying the requirements of any regulatory body.
So as another summer season winds down let Dell Software help you by protecting you iDRAC and other Privileged Accounts from leaking out of your organization.