Identity and Access Management community: Discover and share best practices to control IAM for your real world.

  • What's Securing your Big Data Environment?

    Anyone that is associated with tech these days has heard the term “Big Data.”  This term can refer to many different technologies, methods, and concepts.  One technology that Big Data refers to is NoSQL.  NoSQL is a database technology that provides a radically different method of storing and retrieving data than a traditional rational database like Oracle’s DBMS.  This gives NoSQL performance advantages when used in certain datasets.  The most popular NoSQL database is MongoDB.  MongoDB is used by over 2,000 organizations, including a 1/3 of the Fortune 100, to solve their company’s information problems.

    When a new technology emerges businesses will first evaluate the technology to verify its value.  Once that is done the business looks to add security controls.  According to Gartner’s 2013 Big Data Survey, a full 27% of respondents put security as a challenge. With the enterprise adoption of MongoDB, business are looking to incorporate the same security controls they are accustomed to with their traditional DBMS.

    Today we are happy to announce a technology integration with our friends at MongoDB.  With the assistance of Alex Komyagin at MongoDB and our own Kyle Robinson we provide a step by step guide to integrate Authentication Services with MongoDB.  Previous to this integration MongoDB customers did basic LDAP type integrations that did not leverage the power and flexibility of Active Directory.  Using Authentication Services, customers can take advantage of all the benefits Active Directory offers as a directory service.  This integration allows our customers to enjoy two industry leading technologies, MongoDB and Authentication Services, all while reusing a proven security infrastructure.

    More information can be found on MongoDB's site or the Dell Software Knowledge Base

  • The Next Frontier of Identity and Access Management: Business Agility

    For years, identity and access management (IAM) has been seen as the project of denial, restriction, limitation and sometimes failure. The processes and technologies required to enhance security seemed also destined to stifle collaboration and interfere with revenue-generating …blah blah blah. Let me boil it down for you.

    Fundamentally, you’re probably in one of several camps

    1)      You have lived through or are living through an IAM project gone wrong

    2)      You’re new to IAM and / or

    3)      You’re trying to secure funding for your security / IAM project

    The high-quality, completely-over-produced graphic to the right depicts your challenges.

    Dell has a plethora of content to help people in the upper right. Basically, that answer is “what’s your pain?” Is it two factor authentication? Single sign-on? Privileged accounts? We have you covered. Our latest white paper deals with the upper left quadrant.

    Learn how you can position your security / IAM project as a business enablement tool. Looking at the project through the lens of the business owner, you’re likely to find additional sources of funding for those IT organizations that might be wary of investing further in IAM where they may have already “touched the hot stove several times.”

    If this sounds like you, I recommend you take a read. It’s quick and interesting, even if I have to say that because I wrote it. Also, if you do read it, I’d appreciate your feedback. Thanks!



  • Three Steps to Simplify Your Identity and Access Management

    I spend way too much of my time thinking about identity and access management (IAM). I guess it’s what pays the bills, so that’s a good thing. I get paid to write about, talk about, and evangelize the Dell way of doing IAM.

    I’ve written a little book called Identity and Access Management for the Real World. Chapter One: The Fundamentals delves into the basics of IAM, the challenges we all face, and some recommendations to overcome those challenges.

    Unlike many of you, if I mess something up I just look like a fool … no one really gets hurt, my employer doesn’t suffer significant damage, and there’s no headlines warning everyone of the dangers of doing business with me or my employer.

    Identity and access management challenges can be boiled down to a few concepts:

    • People need access to stuff to do their jobs and someone has to make sure that they can get to what they need when they need it.
    • The business needs to make sure that those people only get to the stuff they should get to and not too much.
    • There’s always someone watching to make sure that you do those things according to some rules, that you had no hand in defining.
    • The people at risk if things go wrong are often woefully lacking in the ability to control their own fates (i.e. they must rely on people that know how to do stuff but not why to do it to actually set up and enforce the rules that must be followed).

    These tenets aren’t universal; there are organizations that have everything nailed down and have all the right people doing the right things and are able to prove it. But there are many more (possibly you and your organization) that are struggling with one or more of these factors. That’s just the way it is. Here’s a short Identity and Access Management video that discusses one company’s struggle with, and solution to this complexity problem. 

    I think the reason we have these problems is that we’re spending so much time putting out fires that we haven’t been able to purge the dead undergrowth to prevent the next fire from spreading out of control. After all, when you find a weakness or experience a breach, you must immediately find a solution to that problem. And the fastest solution may not be one that has anything to do with the preventing the next fire that will inevitably ignite. We end up with a bunch of disjointed access methods, a jumble of ways authorization is defined and enforced, and lots of productivity-sapping hoops that end users and IT have to jump through just to do their jobs – all in the name of better security. The victim is business agility (and isn’t that what we’re all in business for in the first place?)

    Here are three things you can do to minimize the disjointed and ad hoc approach to IAM that is so prevalent:

    1. Reduce complexity where ever possible. Take advantage of existing tools and infrastructure whenever possible to reduce the need for new identities, new provisioning workflows, and new IT tasks to simply grant users access. A great example of this is the AD bridge – simply extending Active Directory authentication and authorization to Unix/Linux systems has proven to dramatically reduce the workload and risk of access to those systems.

    2. Put the business in charge. We all love our IT departments but they should not be the ones making decisions on who should access what and under what circumstances. But they are precisely the ones that most often control these things simply because they know how to manage the systems and the accounts. Do whatever you can to return that control to the ones that are accountable for the data stored and used on those systems.

    3. Keep your eye on the prize. The ultimate goal of everything is to fulfill your organizational objectives – whether that’s making money, serving constituents, educating people, or changing the world. This concept of agility is difficult when all your efforts are focused on simply getting things done. From an IAM standpoint this means lots of wasted time and effort on menial tasks like password resets, multiple logins, redundant roles, and manual provisioning processes. All of those things are important, but following the first two recommendations will inevitably result in a more efficient (and more governable) IAM approach that becomes a business enabler not productivity black hole.

    The little book I've written goes into more detail on this future-proof approach to IAM. Subsequent chapters discuss the specifics of governance, access management, privileged account management, mobility, and even IAM as a service. I’ll be writing about those topics in the coming weeks.


  • Making Security a Business Enabler Not a Barrier

    January 27, 2015 | 1:00 p.m. Eastern / 10:00 a.m. Pacific 

    For years, identity and access management (IAM) has been seen as the project of denial, restriction, limitation and sometimes failure. The processes and technologies required to enhance security seemed also destined to stifle collaboration and interfere with revenue-generating work. In fact, at times, the processes forced employees, partners and customers to spend precious time searching for ways to circumvent the IAM infrastructure in order to do their jobs. 

    The next generation of IAM solutions is changing this perception. Attend this live event with Carol Fawcett, Executive Director & Chief Information Officer at Dell Software, to learn how these new modular and integrated IAM solutions better enable business. 

    Attendees will learn how the latest IAM solutions:

    • Enable IT to offload those pesky decisions of who needs access to what and put them in the hands of business owners who can better address them 
    • Empower auditors to get what they need without interrupting the business 
    • Enable individual workers to get swift and controlled access to the things they need to be productive and do their jobs 
    • Help IT professionals recast the benefits of their IAM projects' beyond security and add business value through increased operational agility

    Register today!

    About the presenter: 
    Carol Fawcett is Executive Director, Mergers & Acquisitions and Chief Information Officer for Dell Software Group at Dell. She is responsible for leading and driving Dell Software’s overall strategic information technology vision, enabling the company to align, leverage and capitalize on the biggest trends in security, mobile, analytics and cloud. Carol has more than three decades of experience serving in IT leadership roles. Prior to joining the Dell Software team Carol held positions at Quest Software, Western Digital, Coldwell Banker and Pacific Mutual.

  • KuppingerCole names Dell One Identity Manager "Overall Leader" in Leadership Compass

    Access Governance remains one of the fastest growing market segments in the broader IAM/IAG (Identity and Access Management/Governance) market. Over the past few years, this segment has evolved significantly. Access Intelligence, providing  advanced analytical capabilities for identifying access risks and analyzing the current status of entitlements is one of these additions, not to mention improved capabilities in managing access risks and user activity monitoring.

    We were actually named Leader in all 4 categories by KuppingerCole in the 2014 Access Governance Leadership Compass report 

    • Overall Leader
    • Product Leader
    • Market Leader
    • Innovation Leader

    "Dell Software has established itself as a leading vendor in the IAM/IAG market place with the Dell One Identity offerings. Dell One Identity Manager and the additional Data Governance edition deliver not only strong Identity Provisioning capabilities but also excel in Access Governance and Data Governance."
    —Excerpt from KuppingerCole Leadership Compass: Access Governance 2014

    This Leadership Compass provides an overview and analysis of the Access Governance market segment, and the solutions available.

  • IT services company secures remote vendor access to privileged accounts while reducing provisioning time by 75 percent.

    GE.SI.ass an Italian IT Services company needed to outsource some of its support activities for their customers’ business intelligence solutions to a partner. Outsourcing support activities would require GE.SI.ass to give the partner access to some of their privileged accounts. Given the current threat landscape as well as the need to meet the compliance and auditing demands of their customers, GE.SI.ass knew that they needed a solution to help them issue privileged access to the partner in a secure manner with full auditing capabilities. GE.SI.ass chose Dell’s Privileged Password Manager and Privileged Session Manager to do just that. With Dell’s privileged management solutions the partner is granted access to systems based on predefined policies and approval workflows without ever knowing the passwords to the privileged accounts. In addition all actions they perform on the system are recorded for auditing and compliance. GE.SI.ass also reduced the time it took them to bring new systems under management by 75 percent using Dell privileged management solutions. Read the full case study here.

  • Cloud Access Manager and Microsoft Office 365: 5 Things to Know

    Organizations considering Office 365, particularly those that already run Active Directory in-house and leverage it to provide single-sign-on to Microsoft applications, quickly learn that moving to Office 365 means extra identity management work. Specifically, in order to use Office 365 a user (a) must have an account in the organization's Office 365 tenant, and that account (b) is going to have its own user name and password to manage (or forget, or write down, etc.).

    Microsoft provides APIs and tools to lessen this additional identity management burden. Their Dirsync and ADFS technologies, respectively, facilitate synchronization of on-premise Active Directory accounts to the cloud, and single sign-on (SSO) from an on-premise AD to the cloud using identity federation technology. With federated SSO in place, an organization's users don't need to type a user name or password to access the Office 365 applications form within their corporate networks, and organizations con control access to Office 365 through their local AD deployments.

    To Microsoft's credit, they have listened to their customers who have wanted to leverage existing investments in federated SSO solutions (which often have more capability than ADFS) by creating the Works with Office 365 - Identity certification program. Dell One Identity Cloud Access Manager is a participant in the program, which tests interoperability between third-party solutions and Office 365, and creates communications channels for joint support troubleshooting and resolution.

    During the certification process, I learned a lot about Office 365, and how Cloud Access Manager's Office 365 support compares to alternatives. Here is a short list of considerations to keep in mind when looking at Office 365 single sign-on solutions...

    1. Support for *all* application types
      Office 365 can be accessed through a web browser (SharePoint Online, the Office web applications, Exchange Web Access), through desktop clients (Word/Excel, Outlook, Lync desktop clients), or through mobile clients (native email clients on mobile devices, Microsoft native mobile apps). Each of the clients use a different method of accessing Office 365. Cloud Access Manager supports Office 365 access through all of these application types.

    2. Integrated Windows Authentication (IWA) support
      Federated SSO *can* make it so users never have to type a user name or password to access Office 365 using web or desktop clients (except for Outlook, which must cache credentials). But desktop client IWA support requires that the federation solution support a specific federation endpoint for scenarios where a user has an existing Kerberos session, as might be the case when logged into a corporate network. Cloud Access Manager supports this "windowstransport" endpoint.

    3. Remote access scenarios
      When users are not on the corporate network (e.g. accessing email using a mobile device over wifi), how do they access the federation server to get the security tokens which enable Office 365 access? A federation should be deployed so that it can be accessed from the internet, through a DMZ-based proxy that protects the private keys being used to sign the security tokens. Cloud Access Manager comes with an embedded reverse proxy that enables secure access to the federation server, as well as internally-hosted applications, from anywhere.

    4. Multiple forest support
      Lots of organizations have users in multiple forests. It can be difficult to use one Office 365 tenant to service customers in multiple forests using ADFS, since ADFS is built to connect only to the AD forest in which it is installed. Cloud Access Manager can be deployed in various configurations to support multiforest deployments, including ones that share a single Cloud Access Manager instance and/or can enable IWA for users in all forests.

    5. Account provisioning
      Microsoft does not operate an equivalent to the Works for Office 365 - Identity certification program for third party solutions that can execute the Office 365 directory synchronization functions Dirsync (and Microsoft Forefront Identity Manager, and more recently Azure Active Directory Sync) can. But the Azure AD Graph API makes possible programmatic creation of Office 365 identities - Cloud Access Manager does it! In some cases we recommend using Microsoft technology, and make it easy to turn on/off the native provisioning logic.

    Office 365 is just one of the growing number of application supporting identity federation technology to extend authentication out form the enterprise to the cloud. If your organization is struggling with password management issues after employing SaaS applications, federation solutions like Cloud Access Manager can help address those issues.

  • What are key deciding factors when choosing IAM as a Service (IAMaaS) versus on-premise software?

    View the On-demand Webcast: Applications, the Cloud, and Identity - Is IAMaaS right for you?

    Listen to industry veteran Nick Cavalancia and David Miles, Sr. Product Manager of Dell Software discuss key deciding factors when choosing IAM as a Service (IAMaaS) versus on-premise software.

    • How does IAMaaS work as compared to traditional on-premise products?
    • Does the makeup of your IT team may tell you if IAMaaS is right for you?
    • Does IAMaaS impact your IT budget in a unique way?
    • What is a better fit? On-premise or SaaS? 

    View webcast today!

  • New Authentication Services security modules for Redhat Enterprise Linux with SELinux fully enforced

    Security has become an increasingly important consideration for organizations. Authentication Services has always held security as one of its most important and core functions.In keeping with this concept we have been working on modules to ensure that Authentication Services will work on a Redhat Enterprise Linux operating system with SELinux fully enforced. We have been testing and modifying these modules for some time now to make sure they will work with as many configurations as possible; however internal testing can only go so far.

    Our goal is to ensure we have something that will be functional for as many environments as possible without additional configuration while remaining secure. As such we would like to solicit feedback from the Authentication Services community.A project has been started that includes access to the modules, instructions on how to implement them. The Authentication Services forums are available to provide feedback on anything you might discover or you would like to comment on.

    As Hellen Keller once said alone we can do so little; together we can do so much. We invite you to work together with us to make this functionality as robust as possible. So join the conversation today.

    For access to the project please visit our github page

    To discuss the project or to ask any question please visit the All Things Unix Forum

    ** Please Note: These modules are considered test modules and therefore would not yet be fully supported. They are intended for test environments only. For assistance we ask that you post your questions or concerns to forum where the product team can will review and assist. **

  • People aren't the only risk in your organization. Learn ten ways to secure and manage the risks of service accounts.

    Webcast: 10 Ways to Secure and Manage the Risk of Service Accounts and Other Non-Human Accounts

    Date: 12/18/2014 at 11:00 AM ET

    Accounts for services and scheduled tasks don’t involve direct human interaction every time, so they’re non-human. They may not pose the same danger as an out-of-control cyborg, but these accounts may pose a greater risk to security than you might think. Attend this webcast with Randy Franklin Smith where he will show you how these type of  accounts create all kinds of risks and management burdens, and what to do about them including:

    • How exactly non-human accounts pose a serious threat
    • Proven controls and best practices for securing these accounts
    • The simple logon strategy that can strengthen security
    • How to automate processes that mitigate these risks

    Register today!