Bob's Identity Management Blog » Compliance

ActiveRoles Sever 6.7 GA

Bob — Wed, 01 Dec 2010 02:02:06 +0000

I am very proud to announce that ActiveRoles Server 6.7 and Quick Connect 4.7 become generally available (GA) today. Look for the new product to be on our download servers over the next several hours. As with all previous releases – this release has several building blocks that when exploited will have a huge impact on both our customers and the market. Below I have included a What’s New list for the core ActiveRoles Product. Over the next three days I will provide some additional posts discussion some of these new features in a little more detail.

What’s New in ActiveRoles Server 6.7

The ActiveRoles Market -Improvements to policy extensions and workflow extensibility allow for more efficient tools for creating and deploying custom policy types that will be posted to the ActiveRoles Market

Improved Import/Export -For some time, ActiveRoles has come with a tool to import and export configuration settings and this tool has been improved and will continue to evolve from importing and exporting roles and policies to much more. The next version will provide the ability to import and export entire new solution scenarios including scripts, policies, workflow activities and web interface customizations.

Entitlement Profile – All-in-one view of each user’s entitlements to IT resources, which provides detailed
information about the applications, services and data locations the user is entitled to access, use or manage

Microsoft Outlook Approve/Reject buttons – Approval management tools integrated in Microsoft Office Outlook

Reply to approve a request – Approval management using e-mail clients directly from desktop or mobile devices

Workflow activity extensions – facilitates the creation, deployment and use of custom script-based activities

Simplified Self-Service UI – Improvements to self-service pages, to make it easier for self-service users to locate, select
and join groups and distribution lists

Simplified Workflow Notifications - Improvments to make approval notifications easier to both read and action.

New granular workflow triggers for Group Membership Requests – New workflow start options to distinguish between the “add to group” and “remove from group” requests

Improved Workflow GUI Editor – New workflow options for configuring approval rules, notification recipients and notification messages

See all parts of AD, not just the parts you own – Unmanaged account domains to reduce ActiveRoles Server licensing costs for areas of Active Directory not being managed by ActiveRoles Server

MMC Tabs for OCS – Ability to configure domain user accounts for Microsoft Office Communications Server 2007 or 2007 R2, by using the ActiveRoles Server console

Attestation for all AD Objects- Extended attestation capabilities, including the ability to review and certify almost any aspect of directory data, including data specific to user log-on accounts, service log-on accounts, group memberships, computers, contacts, and other types of directory objects.

To download this new version please go to: http://www.quest.com/common/registration.aspx?requestdefid=7910

Moving from Group to Access Management

Allison — Mon, 29 Mar 2010 20:37:15 +0000

Managing access to applications and data resources can be a time-consuming and error-prone process. IT administrators are often asked to grant access to sensitive data without knowing the business justification why a user should have it. The result may be inappropriate authorization, access delays, or groups that are bloated, outdated and inaccurate. This lack of accountability may cause security breaches and compliance audit failure. During this archived webcast, you’ll see how ActiveRoles Server enables:

Access Accountability
Authorizing groups today using roles and attribute access control (ABAC) to resources
Authorizing groups in the future with emerging technologies
Moving from Group Management to Access Governance and the keys to success

Presented by:
Robert Bobel, Platform Director of Product Management, Quest Software
Jason Barnett, Partner and Information Security Practice Manager, Ingenuity Associates,

View Archived Webcast

Quick Connect for Exchange Resource Forests

Bob — Mon, 08 Feb 2010 20:00:13 +0000

Last week I forgot to mention that we renamed our Exchange Resource Forest Manager module to Quick Connect for Exchange Resource Forests and updated it to support the latest version of Exchange and ActiveRoles Server. This module extends the multi-forest management capability of ActiveRoles Server to synchronize and provision accounts between a User Account Forest and the Exchange Resource Forest. Additionally, Exchange properties are projected from the Resource Forest onto the property pages of users in the User Forest for single point user account management.

Windows IT Pro Editor’s Choice: ActiveRoles

Bob — Tue, 26 Jan 2010 15:40:35 +0000

Eric Rux at Windows IT Pro magazine took on the job of installing and reviewing a bunch of AD Administration and Provisioning products to help readers select the most comprehensive and complete solution. Eric compared four different products and to me it was no surprise that ActiveRoles came out on top as the clear winner.

What is our secret? Simple, customer driven development, strong expertise and a team that is passionate about their work.

http://windowsitpro.com/Windows/Articles/ArticleID/103318/pg/4/4.html

ActiveRoles Server 6.5 goes GOLD!

Bob — Sat, 14 Nov 2009 16:18:48 +0000

A little earlier today I recieved the GOLD code for ActiveRoles Server 6.5, the next release in our wildly popular provisioning and administration platform. The public release is still a little way off, but it won’t be long now and the GOLD code will be used to perpare all the teams in Quest for unleashing this new fabulous version. I want to congratulate my development team for the extra hard work they put in to get this release done for today; Ilya great job. I would also like to add a personal thanks to Andrei his analitics group fo5 rr constantly providing research and assistance that helps keep all our moving parts moving. For a peek at what hot new features are in this release read my previous blog entry here.

(Note to self, never set an RTM for Friday the 13th.)

Approvals using the Outlook Client Technology

Bob — Thu, 17 Sep 2009 22:28:32 +0000

One of the conversations I had during my week in Berlin was with Dimitry Kaganski a Sr. Architect here at Quest. He had been asked by a customer, why we were not using Microsoft Outlook Client built-in work-flow to allow Outlook users to click a button to approve or reject work-flow requests in ActiveRoles Server. (The current version of ActiveRoles Server requires a user to be authenticated and we use those details to determine what approval tasks should be displayed.) I also mentioned that I have had other customers ask about this as a possible future feature. Dimitry’s next comment, knocked me flat on my heals.

Dimitry asked me how if we did provide approve/reject in Outlook workflow how would we prevent mailbox delegates clicking approve or reject before the mailbox owner saw the request – I had absolutely no answer. Because the activities of a delegate are not tracked, there is really no way to know what a delegated user is doing in the mailbox and so you would not know either what messages have been read or what approvals would have been processed. My fears about approving/rejecting requests had always been more around Spoofing, this conversation gives me even more concerns. Unless our brilliant developers could find some way around the way Outlook/Exchange work – I doubt this feature would ever make it through a compliance audit.

If Compliance is a only a symptom, what is the disease?

Bob — Tue, 15 Sep 2009 11:57:49 +0000

Most of the directory owners to which I speak, have for a number of years, been living with legal or regulatory compliance. Most have followed a predictable pattern of first sweating out their initial audit then later rationalizing better ways to implement whatever compliance policy to which they must adhere for sustained compliance. First Audits are often completed with brute force in a forest-killing documentation exercise. If that experience was painful enough (and it usually is) they progress to looking at the underlying issue driving the compliance requirement to which they find themselves victim. Ultimately this rationalization leads them to conclude that they must reach out to the enterprise and build compliance in business processes at which point they begin treating the root problem rather than its compliance audit symptoms.

You would think this would have been obvious from the start, but after reading the actual compliance equipments themselves it is easy to see why this causes so many people trouble. For example, the Sarbanes-Oxley Act of 2002 (SOX) was created to protect shareholders of public companies from financial miss-doings that could impact their investment. I will spare you the joy of reading section 404 of the SOX requirements which deals with the IT aspect of compliance and simply tell you, you would be underwhelmed by the lack of detail and direction it contains.

What is clearly spelled out in SOX is that the owner of an application or data should be responsible for controlling access to that owner’s resource and further there needs to be a set of controls to make sure this happens. The reasoning is simple, the application or data owner is in the best position to know and understand the business justifications for granting access to their resource. SOX doesn’t recommend what type of controls are needed only that they must exist.

The lack of detail around IT controls – leaves everything open to interpretation as to what is required on the part of IT to comply with the regulation. Because experience and competence varies by auditor and IT team, recommendations can be anything from a paper-based procedures to implementing a new compliance layer of audit software or worse. The directory owners I see who are able to achieve sustained compliance implement software based process controls. These software based controls should always automate and enforce governance be self-document and should support real-world demonstration that the controls are in place and effective. Once these controls are in place audit preparation time drops to hours rather than the weeks or months a first audit typically would require.

Provisioning and Attestation for SharePoint (Part 2)

Bob — Mon, 03 Aug 2009 14:00:56 +0000

On Friday I posted part 1 of the additional details about how Quick Connect for Base Systems: SharePoint Integration will provision SharePoint. This post, Part 2, will provide some additional details on the SharePoint Attestation and Remediation aspects of our solution.

SharePoint Attestation: For customers who own ActiveRoles Server and ActiveRoles Self-Service manager, this new addition will allow you to extend access certification reviews (a.k.a. Attestation) to your SharePoint Site owners through the easy-to-use self-service interface. The goal of attestation it to have the owner of the site’s data periodically review the individuals that have been granted access. The owner of the data is the logical choice for this type of review because he/she is typically the person who understands the business reasons why a particular user was granted access the data. Period certification reviews also provide a great way to determine which groups in AD are being properly managed – meaning if a group owner fails to perform the review their group is added to a list of suspect groups. If you want to understand more about Attestation, see my recent posts http://www.bobbobel.com/what-is-attestation/.

SharePoint Access Remediation: (Warning-teaser) In the next major release of ActiveRoles Server we will include a new set of optional policies that can be used to what essentially amounts to the ability to disable a group that is granting security access. We also link this new capability to our Attestation Policy so that when the resource owner fails to perform a required attestation review within a given review timeframe access can be withheld in a non-destructive way. This is of course optional and the disablement of the group can be reversed with a single click so that if a group is super critical it can be brought back almost instantly.

Provisioning and Attestation for SharePoint (Part 1)

Bob — Fri, 31 Jul 2009 14:00:30 +0000

Since I mentioned our work on SharePoint in may (see http://www.bobbobel.com/teched-day-2-sharepoint-and-ad-groups/) I’ve had a lot of request for more details. We have come a long way in the development cycle and so I wanted to share some details about our plans for a public beta that will happen in about one month’s time.

In August we will provide a new component of Quick Connect for Base Systems named Quick Connect for Base Systems: SharePoint Integration. This integration pack will install into the ActiveRoles Server console directly rather than appearing as a traditional connector in Quick Connect so as to simplify deployment.

SharePoint Provisioning: The primary purpose of the beta will be to provide automated provisioning and maybe more importantly automated Deprovisioning of user access to specific SharePoint sites. This is accomplished through the existing ActiveRoles Server provisioning and Deprovisioning policies so you control access in the exact same way you do other Microsoft applications even if you have not used followed Microsoft best practice by using AD groups to control SharePoint access.

(Part 2 http://www.bobbobel.com/provisioning-and-attestation-for-sharepoint-part-2/)