Identity and Access Management community: Discover and share best practices to control IAM for your real world.


  • Cloud Access Manager and Dell vWorkspace Integration

    Was recently poking around a "What's New" post in the Community site for Dell vWorkspace, our desktop and application virtualization solution, when I came across a small reference (that involves Dell One Identity Cloud Access Manager) that I wanted to highlight here...

    vWorkspace 8.0.1521 MR1 Optional Hotfix 362760 for Web Access Roles for solution SOL127785

    This is an optional hotfix to address the following issue - Web Access Roles Please refer to the Support Portal knowledgebase article 127785.

    Created: July 9, 2014

    If you click through to the KB article, you find that this update includes Cloud Access Manager integration with the vWorkspace Web Access. Through this integration, Cloud Access Manager can present an integrated set of links on its Application Portal for:

    • web-based applications protected by Cloud Access Manager, accessed through the reverse proxy or via identity federation
    • virtualized desktops and applications, accessed through vWorkspace sessions

    What you end up with, for the end user, is an "aggregated workspace" of target links for end users, tailored only to show the applications they are entitled to per security settings in vWorkspace and Cloud Access Manager...

    As for single single sign-on, the links on the Cloud Access Manager portal are related to files downloaded from the vWorkspace Web Access server, which embed credentials for accessing the vWorkspace apps. So once users log in to Cloud Access Manager, they don't see extra login events for vWorkspace applications. Cloud Access Manager does authenticate the user to the vWorkspace Web Access server, and that is either handled by a one-time password capture event, or optionally by reusing a user's corporate credentials. Basically, Cloud Access Manager treats vWorkspace Web Access as a special-case protected application.

    Setup is straightforward, as seen here:

    This is a good example of how we're always looking for ways to expand the value Cloud Access Manager provides customers by addressing new classes of applications. We'll be adding more functionality like this in the future - so stay tuned!

    Dave

  • The Cloud and the new role of IT departments

    “The Cloud” is changing business in many ways. This discussion is mostly targeting B2B and B2C applications and how cloud and SaaS offerings are affecting access control and security.

    Cloud and SaaS offerings affect businesses in the reduced time it takes to implement and begin using business relevant applications compared to the traditional way of getting an application up and running. In the past business departments needed to talk to IT, going through all the processes from budget funding to software selection to purchasing and finally the implementation process with IT. Today, you can simply subscribe to software as a service offering that fits your needs and you can start working. This is the “new business agility” that results from a SaaS offering.

    The role of IT departments are changing and adapting. Even if the business departments can easily use line-of-business applications in the cloud, companies are still accountable for controlling the access, the use and the security of the data of those applications.

    For the IT department this means that they are not necessarily the department implementing, operating and providing the application support itself but the tools and processes on how to govern and control the overall system security. IT departments need to become a real partner of the business and an enabler of the new agility. IT departments have an opportunity to become the internal facilitator or a kind of consultant for the integration of the business relevant SaaS applications. The business and IT need to ensure that the applications are brought into the overall IAG and GRC program and its tools and solutions so the processes like:

    • Who should have access or not?

    • How to grant or revoke access and permissions?

    • How to provision or de-provision access and permissions?

    • How to attest/recertify access and permissions?

    Are not broken and the new applications fits into the overall scenario.

    Uncontrolled growth and use of cloud applications by business could lead to uncontrolled systems and violation of internal and external regulatory controls. IT departments are the natural partner of the business for ensuring security and compliance not just for on premise applications but for SaaS applications as well.

    A company should develop a best practices IAG/GRC program as a prerequisite to have the appropriate IAG applications in place that can provide all features required for managing both on-premises and off-premises applications.

  • Winner in Identity & Access Mgt. by the readers of SearchSecurity.com and Information Security Magazine!

    We are honored to announce that Dell One Identity Manager has been chosen a Winner by the readers of SearchSecurity.com & Information Security Magazine.

    "Dell's offering also supports other best-in-class IAM products, providing the ability to transition an entire IAM strategy into one view. Dell has moved to expand its One Identity suite with Cloud Access Manager as well. The cloud-focused play provides a number of traditional IAM features including single sign-on capabilities for a variety of Web application access scenarios."

    Dell One Identity Manager provides you with the right access to business-critical information should be managed by the business and not by IT. That’s why Identity Manager empower the business to govern needed access for agile and effective operations, while reducing the burden on IT.  Identity Manager gives you the visibility and control you need to:

    • Understand what you have in your environment and who has access to it
    • Empower business managers to understand what employee entitlements actually mean and certify access accordingly
    • Establish a continuous process to ensure that every individual has the right access to do their job, nothing more

    The Identity Manager family of solutions includes three products, so you can choose the one that best meets your organization’s specific access management needs.

    Read More about the Award

    Learn More about Identity Manager

  • Is separation of duties (SoD) the key to protection from fraud and errors?

    It is 6:30 in the morning and I'm about to get to ready to head to the airport and then home after a week-long business trip.  On my way out the door I pick up my hotel bill; as I walk towards the elevator I look over the invoice and notice an additional restaurant charge from the night before.  I go to the front desk and have the hotel staff check things over and quickly reverse the charges as someone else had accidentally charged their dinner to my room. 

    I know this has not been the first time it has happen to me or other colleagues.  On my taxi ride to the airport, I keep wondering how does this happen?  Why the server can’t realized someone just charged two different bills to the same room? Or,  why aren’t there any measures within the restaurant management system in place to quickly pick up these anomalies?  

    To me, it should be a no brainer as the restaurant management systems should have some concept of Separation of Duties (SoD) to protect the restaurant and patrons from common errors like having guests accidentally charging their bill to other rooms.  Ok, maybe I’m over-thinking this. However, it is too much to ask the restaurant management systems to at least warn the server closing the bill the same room number was used on another invoice less than hour ago?  A simple pop up or warning message could have help the server realize a potential error or have the ability to correct before the invoice gets reconciled during the night and end up on someone else’s hotel bill. 

    Is separation of duties (SoD) the key to internal controls to increase protection from fraud and errors?  Are today’s organizations taking more proactive measures to protect themselves against fraud or errors which can jeopardize their name brand or cost $$$$ in loss revenue, fines, etc. 

    The basis of segregation of duties (SoD) processing are rules that represent the technical implementation of prescribed guidelines. They are grouped according to different frameworks (e.g., “internal guidelines”, “SOX”, etc.) or according to content-related criteria, such as for individual application systems.  They can either be preventive controls or detective controls. Either way, compliance with the rules established for employees and their access permissions in the enterprise need to be monitored with a SoD check. 

    Taking my hotel bill anomalies example and applying to real world scenarios, I see companies of all sizes starting to put more importance of not combing internal roles such as receiving and signing company checks.  The separation of duties in this case fully restricts the amount of power an individual user has over its core responsibility and minimizes any potential risks.

  • Learn how the City of Houston secures application access for its 15K users

    Upcoming webcast

    Thursday, November 20th , 2014

    2 pm EST

    Clear proof that Dell Software Identity and Access Management solutions are MUCH more effective than your favorite pain reliever!

    Learn how the City of Houston relieved its application access and password-induced headaches when it implemented Dell One Identity Manager and Cloud Access Manager for its 15,000 online users. Houston CIO Charles Thompson and Dell Software’s Mark Costenbader join Todd Sander of the Center for Digital Government in a webinar detailing how the city improved its security profile and reduced costs by using Dell Software. 

    Register for “Security Headaches? Streamline and Secure” 

  • 60 Minutes - Cleaning up the VA: Single sign-on & Identity Management Highlighted as a Problem

    During the 60 Minutes episode titled "Cleaning up the VA" that aired on November 9, 2014, Secretary Robert McDonald highlighted many of the problems that our veterans face obtaining their benefits. If you didn't have the opportunity to watch the episode I encourage you to do so as it is both moving and troublesome. It's obvious that Bob - as he likes to be called - has a huge challenge in front of him. A challenge that he said "my whole life has been designed to lead to". During the interview Secretary McDonald was outlining some of the significant problems he, and his team, needed to solve for the veterans. The second problem he highlighted - at approximately 9:08 in the interview - that was "not acceptable" was the fact that that veterans had to deal with "multiple websites that require multiple usernames and multiple passwords". I think many of us in the identity & access management community have both encountered, and helped customers overcome, this type of problem and problems similar to it. Fortunately, standards like SAML, federation and OAuth exist to solve exactly the types of problems that Secretary McDonald highlighted:

    • SAML: The Security Assertion Markup Language (SAML) is a standard for exchanging authentication and authorization data. Or, put in a different way: SAML helps to solve the problem of web single sign-on.
    • Federation: Is a means of linking a person's username, password and and associated attributes, across multiple distinct systems (or websites). Of obvious importance to the VA is single sign-on where a user's authentication token (username & password) is trusted across multiple IT systems (websites) or organizations.
    • OAuth: Is commonly used as a way for web users to log on to third party web sites - like the VA's - using their Google, Facebook or Twitter accounts (tokens). OAuth is the open standard for authorization.

    I do not want to presume to know or even understand the depth of the problem that Secretary McDonald and his team at the VA have to clean up. I can say, with conviction, that this problem is not insurmountable and it is why I have been so passionate about single sign-on for many years. It's one of the reasons why we designed and built Dell One Identity Cloud Access Manager to not only solve these types of problems but to also be easy-to-use, install and operate. I'm sure Secretary McDonald has many people available to advise him on this topic but if he doesn't or needs an extra opinion all he has to do is give me a call - my advice is free. Good luck sir!

  • The Apple Pay Revolution Has Started

    On October 20, 2014 Apple released an update to iOS that enables Apple Pay. This may have been the first day of the revolution against hackers that many of us have been waiting for. And it may be a revolution that ultimately affects many of us in our day-to-day IAM lives. Why do I feel this strongly about Apple Pay? A number of reasons:

    1. Apple is a market maker and as such they are one of the few companies that can change how we - the consumer - spend our money. Just like they revolutionized the mobile phone they have the capability to revolutionize mobile payments.
    2. Hackers are generally motivated by money. Is there really a point to being a hacker if you can't profit from it?
    3. Credit card numbers (and other important information) are the stock-in-trade of the hacker. Hacking systems to access credit card records is the easiest way to get massive numbers of credit card numbers.

    What's in it for Apple? Well, Forrester forecasts that US mobile payments will reach $90B in 2017, a 48% compound annual growth rate (CAGR) from the $12.8B spent in 2012 and if Apple were getting a penny on every transaction - well, you do the math.

    I don't think I need to provide you links to any of the recent hacks that uncovered millions of credit card numbers as there's been more than enough publicity of them. So how will Apple Pay revolutionize mobile payments? For one thing, your actual credit card number won't be stored on your iPhone. When you add a credit or debit card to Apple Pay it is encrypted and sent to Apple servers. Apple then decrypts the data, determines your card’s payment network, and re-encrypts the data with a key that only your payment network can unlock. Once your bank approves the use of your card for Apple Pay a device-specific Device Account Number is created, encrypted, and sent along with other data to Apple. Apple can’t decrypt it, but will add it to the Secure Element within your device. The Secure Element is an industry-standard, certified chip designed to store payment information safely. The Device Account Number in the Secure Element is unique to your device and to each card added. It’s isolated from iOS, never stored on Apple Pay servers, and never backed up to iCloud. Because this number is unique and different from usual credit or debit card numbers, your bank can prevent its use on a magnetic stripe card, over the phone, or on websites. Apple doesn’t store or have access to the card numbers you added to Apple Pay. Apple Pay only stores a portion of your actual card numbers and a portion of your Device Account Numbers, along with a card description, to help you manage your cards.

    The most important aspect of Apple Pay is that your credit card is not sent to the merchant when you use Apple Pay - the only thing that is sent is a non-reusable secure token. The merchant that accepts your payment passes this token on to your issuing card company (i.e., Bank of America) for decryption and payment. Even if your merchant stored the token it would be useless to the hacker since the token isn't re-usable. This has the effect of "reducing the surface area of attack". You, the Apple Pay user, will not care about the next massive break-in where hackers capture millions of credit card numbers. The hackers job will more difficult the more Apple Pay gains acceptance and usage. Aside from paying cash, I think that Apple Pay will be my default choice for payment so I sure hope that usage spreads. As a consumer, I want Apple Pay to be very successful.

    We also win from a privacy perspective. Neither Apple, nor the merchant, know anything about me. They don't know my name because that is not provided to them by Apple Pay. They just know I authorized a payment. So tracking who I am and what I spend my money on is hidden from everyone involved. Imagine the heartburn that all those marketing and data collection people are going to suffer?

    Eddie Cue from Apple explains the security behind Apple Pay in this video which you should check out. Another great article that explains how Apple Pay could make credit card breaches a thing of the past can be found in PC World here. The Wall Street Journal also has an article related to the reporter's usage of Apple Pay here.

    How might Apple Pay benefit us folks in the IAM trenches? If companies are able to integrate the secure element/Apple Pay into their solutions any Apple Pay-enabled phone could be used as a second factor for authentication. Nothing is released without confirmation via a biometric swipe so not only do you have possession of the device but you also have to authorize the transaction. A transaction could be a logon via a VPN to your corporate network or the release of a password. Anywhere you might use a token you could be able to use Apple Pay. Another example is Dell laptops. Many are NFC-enabled. Apple Pay is NFC-based. Imagine walking up to your Dell laptop and it unlocking from your screen saver for you? And vice-versa: You walk away and when your are far enough away your screen saver locks your machine automatically.

    Like all revolutions they take a bit of time to build up steam. I'm waiting on my iPhone 6 Plus so I can start using Apple Pay. In the meantime, Apple signed up 1 million Apple Pay accounts in the first 72 hours of operation. How many will they have by the end of 2015?

  • New "How To" Videos for ActiveRoles Server

    Any or you that use ActiveRoles Server (ARS) have experienced the broad functionality offered by the solution. But you still may not be getting the most out of ARS. Our technical team recently created a series of "How To" videos that will help you master some of the deeper functionality of Active Roles. Check them out:

    How to create a memory dump for a service or client process

    ActiveRoles Server 6.9 Reporting Components (part 1)

    ActiveRoles Server 6.9 Reporting Components (part 2)

    We hope that you will find these new videos useful

  • Hardware, software or out-of-band what's the latest trend for two-factor authentication?

    Most of us know what Two Factor Authentication is after all it has been with us for over 25 years. But while we have all been busy things have been changing slowly and steadily, especially when it comes to choosing whether to deploy hardware, software or out-of-band tokens.

    Hardware or Physical Tokens

    By far the most commonly deployed in the past has been the traditional key-fob or key-ring style token, widely in use by many of us to protect our personal or business banking. The device contains an algorithm incorporating a clock or a counter, which, in conjunction with a 'seed' is used to calculate the OTP according to a unique but predictable sequence. When a user enters this number it establishes to a reasonable level of certitude that they are in possession of the token, because the server which is authenticating the user also knows the value of the token’s seed, and using the same algorithm and the time or a counter can predict the next valid OTP value.

    Software Tokens

    With the arrival of smarter and more capable cell-phones, an alternative to the physical token began to appear about ten years ago.  These typically take the form of an ‘App’ replicating the functionality of the hardware token in software, working in the same way to generate an OTP from a seed value in conjunction with time or an event counter, they can even be installed on our laptops and desktop computers. These software or ‘soft-tokens’ have a few distinct advantages over their hardware token equivalents, in that instead of users being forced to carry an extra piece of hardware, our smart-phones are typically with us all of the time anyway hence we don’t need to carry anything extra.  Most of us rely so heavily on our phones that any loss is noticed almost immediately, not necessarily true for our hardware tokens.  In the event of loss of the phone, there is no physical cost associated with replacement of the token, just re-deploying the ‘app’.  Furthermore with the capabilities of many of today’s smartphones we are able to protect access to them with PINs, Passphrases, face recognition, fingerprints, voice and more, adding a further layer of protection to the device. But it is only in relatively recent years that Soft-Tokens have begun to see greater acceptance, most likely because of the prevalence today of smart-phones which are capable of running such applications, everyone it seems has one.

    SMS – Out-Of-Band

    Yet another angle opens up when we consider the use of our smart-phones, in fact, any cellular phone capable of receiving an SMS text message.  At the point of authentication, it is possible to deliver an OTP by SMS Text Message to the registered cell-phone of the user requesting authentication, considering that the phone is something the user has, this falls nicely into the category of a second factor.  Great!  This sounds like a perfect solution right?  Well it too has some issues, SMS is not a guaranteed delivery mechanism, and depending upon location and cellular network coverage there may be a latency issue delivering the OTP.  There is also a cost associated with the SMS.

    So, why are we still using Hardware Tokens?

    So when considering the options described above are people continuing to use hardware tokens or are they migrating in droves towards the use of Soft or SMS tokens? Well, having the second factor available potentially on the same device from which we are requesting access to our applications and data could perhaps represent a bit of a contradiction to the concept of a second factor of something you have. If you don’t have a PIN or some form or device lock on your phone, are you any better off?  The answer is somewhat subjective.  Consider walking into an office environment and seeing an empty cube, next to the workstation are a set of house-keys with a keyfob hardware token attached. Actually this situation is really not that uncommon, we typically dump our keys on the desk and get up to grab a coffee.  Sure, our workstation is still protected by our password and screen-lock, but is this all that different to the Soft-Token on a phone without PIN protection? Attempting to compromise the software delivered to our smart phones is complex but not necessarily impossible.  Many protections are in place, with vendors restricting the deployment of Apps to devices directly from their ‘Application Stores’ where we trust that careful testing and validation are performed.

    Conclusion

    We cannot ignore the fact that the use of and need for two-factor authentication is growing, as is our reliance upon smartphones as tools in both our personal and business worlds as demonstrated by the rapid growth of BYOD to access sensitive applications and data.  It is this trend in conjunction with cost and convenience of the smart-phone as a potential authentication device that is likely driving this trend, and the smart-phone as an authentication device must therefore be given more serious consideration, but as with any security it remains a compromise between cost, convenience and security.

    If you are interested in two-factor check out Defender, Dell’s two factor authentication solution supporting a wide range of tokens including hardware, software and SMS. You can also request your free starter pack, which includes 3 hardware tokens, 25 software tokens and 25 user licences for 90 days.

  • Radboud University Gains Control of Provisioning and Access Governance Cutting Enrollment Time by 50 Percent

    Read full press release

    • Dell One Identity Manager enabled the university to simplify governance by merging multiple roles into a single identity
    • Risk reduced by ensuring more than 45,000 users have only the access they need

    Dell Software today announced that Radboud University, a leading Dutch academic community, deployed Dell One Identity Manger to gain control of both access governance and provisioning, reducing by 50 percent the time it takes students to complete the enrollment process. While many identity and access vendors require customers to choose between provisioning and governance, Identity Manager addresses both, enabling the university to create an efficient and effective identity and access management strategy that will serve for years to come.

    In addition to being a leading academic community, Radboud University is home to several research institutions and is affiliated with one of the largest academic hospitals in the Netherlands. As such, the organization manages a constantly changing user population of 45,000-50,000, including students, faculty, alumni, independent researchers, contractors, and others. With a continually changing population, the university faced several challenges including "entitlement creep," which occurred as users changed roles. Access required for their new roles was added, but access they needed for their old role was not always terminated, creating risk by giving large numbers of users access and entitlements beyond what they needed.

    With 10,000 students entering and leaving the university every year – students becoming alumni at graduation, and new students needing speedy enrollment in the fall – the university also needed to make real-time changes to students’ access rights. In addition, steady updates to national laws and business requirements regarding access made it necessary for the university to have a solution that enabled them to make those changes quickly and easily.

    The school found it difficult to manage all of these challenges with its legacy Sun Microsystems IDM solution without a significant increase in staffing. In addition, an uptick in data leaks at Dutch institutions in general caused university officials further unease. Because the university handles a great deal of sensitive data, including personal information, bank account information and research data, Radboud officials were particularly concerned about the potential cost to reputation and finances if a leak occurred due to inappropriate access.

    Gaining control of governance and provisioning, while increasing user satisfaction and decreasing IT workload

    Working with Dell implementation partner Intragen, Radboud University evaluated the market’s identity and access management solutions, and chose Dell One Identity Manager to address its multiple IAM needs. Completeness of solution was critical to the university’s solution choice, and Identity Manager was selected for its ability to address both provisioning and governance needs, unlike the university’s legacy solution. Using Identity Manager, Radboud put an end to entitlement creep, and enabled real-time changes to user access settings, ensuring the right people had the right access to the right data and applications. The solution also addressed the university’s unique and complex user environment, enabling the management of users with multiple roles (i.e., an alumnus who is also a faculty member) by linking each user’s roles to one identity.

    With Identity Manager, the university has cut the time required to provision a new user in half, and because processes that previously were done on a nightly basis can now be done on a near real-time basis, enrollment time has also has been reduced from two or three days down to one. Combined with the solution’s self-service options for users, these features have both improved user satisfaction and decreased IT workload.

    With its provisioning and governance needs addressed, Radboud University now has the security it needs to protect itself from data leaks, and resultant damage to its reputation and financial bottom line. With Identity Manager, the university is set to effectively manage identity and access today, and can grow the solution to meet its needs in future years.

    Supporting Resources: