Bob's Identity Management Blog » Identity

Smart card presentation at the AFITC

Bob — Tue, 30 Aug 2011 16:02:50 +0000

Yesterday I had the opportunity to present at the Air Force Information Technology Conference 2011 on HSPD-12 and its impact on logical access control. While preparing for this session I realized I needed to re-visit Microsoft’s PKI (Public Key Infrastructure); especially changes in Windows 2008, Vista and Windows 7 strong authentication support.

The first thing that struck me was how many good resources are available for learning Microsoft’s PKI. Back in 2000 when I first installed a Microsoft CA (Certificate Authority) there didn’t seem to be enough detailed information and over the past eleven years I have only had infrequent occasions to use the software. At this point I want to recommend Brian Komar’s book Windows Server 2008 PKI and Certificate Security (I got the Kindle version for about $39). I also wanted to mention Vadim Podans’ white paper on PKI and using the Quest AD Commandlets to managed. You can download the white paper here and you can get the latest version of the AD CMDLETS here.

I also wanted to give a special thanks to Chen and John from SafeNet for hooking me up with SafeNet middle-ware tools (above) and smart cards that I used for to prep for the session. The software was both intuitive and easy to deploy.

SailPoint partners with Symantec

Bob — Wed, 25 May 2011 16:27:36 +0000

Interesting partnership. This will certainly help Symantec gain traction in this space.

http://insurancenewsnet.com/article.aspx?id=262663&type=newswires

Setup FREE Syncronization from AD to AD/ADLDS in 15 minutes or less!

Bob — Fri, 10 Dec 2010 18:17:02 +0000

What is ActiveRoles Quick Connect Express? With the latest release of ActiveRoles Quick Connect we bundled the Synchronization engine, the AD connector and the ADLDS (formerly ADAM) connector together. The big news here is that we labeled this core piece “Quick Connect Express” and you can download and used it to sync objects between those systems. For those of you who remember Microsoft’s IIFP – this package was my way of picking up the torch when Microsoft stopped updating IIFP several years ago.

Major benefits

After you install the application it takes less than 15 minutes to setup a sync between systems; so this thing is extremely easy to use
Synchronize Users, Groups, Group memberships and almost all other objects in AD
Built-in rules for user name generation and attribute transformation
Efficient Group Membership Synchronization
Sync Passwords between systems using the password capture agent for Windows clients
Hosting company and consultant friendly
Integrated PowerShell scripting for extending functionality

Download it here http://www.quest.com/activeroles-server/quickconnect-express-for-active-directory.aspx

Other free stuff from my team

SPML web service for provisioning AD or ActiveRoles Server http://www.quest.com/activeroles-server/spml.aspx
PowerShell commandlets for AD and ActiveRoles Server http://www.quest.com/activeroles-server/extensible-platform.aspx

Freeware use - becuase this is freeware Quest Support is not included without an actual purchase of the software. We do have an excellent forum where the answers to basic questions may have already been answered and of course you can always post a question of your own. http://activeroles.inside.quest.com/index.jspa

Moving from Group to Access Management

Allison — Mon, 29 Mar 2010 20:37:15 +0000

Managing access to applications and data resources can be a time-consuming and error-prone process. IT administrators are often asked to grant access to sensitive data without knowing the business justification why a user should have it. The result may be inappropriate authorization, access delays, or groups that are bloated, outdated and inaccurate. This lack of accountability may cause security breaches and compliance audit failure. During this archived webcast, you’ll see how ActiveRoles Server enables:

Access Accountability
Authorizing groups today using roles and attribute access control (ABAC) to resources
Authorizing groups in the future with emerging technologies
Moving from Group Management to Access Governance and the keys to success

Presented by:
Robert Bobel, Platform Director of Product Management, Quest Software
Jason Barnett, Partner and Information Security Practice Manager, Ingenuity Associates,

View Archived Webcast

Approvals using the Outlook Client Technology

Bob — Thu, 17 Sep 2009 22:28:32 +0000

One of the conversations I had during my week in Berlin was with Dimitry Kaganski a Sr. Architect here at Quest. He had been asked by a customer, why we were not using Microsoft Outlook Client built-in work-flow to allow Outlook users to click a button to approve or reject work-flow requests in ActiveRoles Server. (The current version of ActiveRoles Server requires a user to be authenticated and we use those details to determine what approval tasks should be displayed.) I also mentioned that I have had other customers ask about this as a possible future feature. Dimitry’s next comment, knocked me flat on my heals.

Dimitry asked me how if we did provide approve/reject in Outlook workflow how would we prevent mailbox delegates clicking approve or reject before the mailbox owner saw the request – I had absolutely no answer. Because the activities of a delegate are not tracked, there is really no way to know what a delegated user is doing in the mailbox and so you would not know either what messages have been read or what approvals would have been processed. My fears about approving/rejecting requests had always been more around Spoofing, this conversation gives me even more concerns. Unless our brilliant developers could find some way around the way Outlook/Exchange work – I doubt this feature would ever make it through a compliance audit.

Privilege Account Management: a logical evolution of Provisioning

Bob — Mon, 17 Aug 2009 20:14:30 +0000

Martin Kuppinger of the analyst firm KUPPINGERCOLE wrote an interesting article on how the Siemens DirX Identity provisioning product added Privilege Account Management as a core component. See Is PAM (or PIM or PUM) moving into Provisioning?

To me this makes sense from both an infrastructure and resource perspective. It is pretty clear to most people that the infrastructure architecture required for provisioning is virtually identical to the architecture needed for Privilege Account Management. There are of course some minor differences, but for the most part you have the same moving parts.

My personal opinion is that in addition to Provisioning, Privilege Account Management should not be done separatly from delegation using IT Roles as doing so would fracture the delegation model into separate pieces. Sometimes, admin A would have permissions through a Privilege Account Managment solution and sometimes admin A would have permissions from the IT roles system; not a good situation. This would not only make auditing and compliance more difficult, operationally it would hamper the IT staff since two sets of connectors, workflows and interfaces would have to be maintained.

Myths of Role Mining

Bob — Mon, 10 Aug 2009 14:00:55 +0000

Have you heard of Role mining? Some of my southern relatives worked in coal mines and I’ll tell you Role mining doesn’t seem to be much less work. Role mining is the process by which user accounts in your organziation are mapped to application accounts, permissions, entitlments or resources.

Myth: Role mining tells me what my users should have access vs. does have access

The ultimate goal of role mining is pretty simple, you want to know the things to which your users should have access vs. to those they actually have access.

Myth: Enforces separation of duty

Myth: Streamlines Access Provisioning

Will my audit fail without Attestation? (Part 3 of 3)

Bob — Mon, 27 Jul 2009 20:14:02 +0000

Most legal or regulatory requirements simply state that both Access Controls and Attestation are required for an audit, but they don’t specify if those controls are to be paper based or part of an electronic workflow. Many organizations spend thousands of hours building a paper based set of controls and attestation process only to be asked to “prove” the controls work. Because the controls are only paper based verifying the effectiveness of the controls becomes time consuming and difficult as paper requests and reviews are shuffled between people or departments. More and more auditors are discovering that a lack of controls, especially around unintended group usage, is cause to delay or fail an audit.

A caution about Attestation over group memberships: When a group is created and assigned access to a specific resource, this assignment is deliberate and intended. Unfortunately, over time it is possible for the group to receive unintended access to some resources, either maliciously or accidentally, because the operating systems and directories do not have the ability to prevent it. Therefore, the resource owner is never really able to know all of the accessible resources of the group. This directly impacts the third attestation statement so make sure any electronic attestation solution you select has the ability not only to certify who has access, but that it also provide the capability to show to what those users have access.

What makes Attestation Difficult? (2 of 3)

Bob — Tue, 21 Jul 2009 07:02:10 +0000

First there is no built-in mechanism to enforce an attestation policy or help perform the access reviews. Microsoft Windows Server and Microsoft Active Directory use groups as the basic mechanism to control access to resources, and most non-Microsoft operating systems and directories use them as well. Because groups are universally accepted as the method by which users are authorized to use a resource, many vendors provide the ability for group attestation as part of access management solutions. This functionality is intended to satisfy audit or security requirements.

Unintended Access Senarion (Click to enlarge)

Read Part 3 of 3 here http://www.bobbobel.com/will-my-audit-fail-without-attestation-part-3-of-3/

Quick Connect for Online Services goes gold!

Bob — Tue, 23 Jun 2009 19:00:09 +0000

Shortly after my receiving the notification about Quick Connect for Lotus Notes, I received a note that Quick Connect for Online Services went gold also. The vision for Quick Connect for Online Services is that it will provision cloud based application like Google Premier which provides Internet based applications and collaboration. Like ActiveRoles Quick Connect for Lotus Notes, Quick Connect for Online Services will be publicly available in July.

Case Study: 4 days to automated provisioning

Bob — Fri, 19 Jun 2009 19:12:26 +0000

As a follow up to the article in Advanced for Health Information’s artical about Childrens Memorial Hospital, Quest has published a case study with some additional detail about how Childrens went about achiving such valuable results in such a short amount of time.

http://www.quest.com/Quest_Site_Assets/SuccessStories/CSW_CMH-ARSPM-US-MJ.pdf

See how automated provisioning made a hospital more efficient in just 5 days!

Bob — Wed, 17 Jun 2009 17:41:43 +0000

This is amazing. Children’s Memorial Hospital in Illinois automated user account provisioning, deprovisioning and access managment in just 5 days, using ActiveRoles Server and Quest Password Manager. (I hear our customers telling me this over and over, but it always looks better in print.)

http://health-care-it.advanceweb.com/Article/Simplifying-User-Access-and-Provisioning-2.aspx