Check out the new Identropy Identity Management Blog. Or subscribe to the rss feed.

I recommend this resource to anyone who would like to learn about Identity Management. It is particularly geared towards those who want to learn about the basics of Identity Management. The Identity 101 series is particularly insightful. The various aspects of Identity Management (provisioning, single sign on etc) are covered and use cases are given to help illustrate the need for finding solutions.

Ash asked for Idm one-liners so here’s one for you: Your Manual processes are as good as the errors they produce. Recently I was working with a client that had various rules in place concerning employee Identities. The problem was they were relying on manual processes to enforce them thus opening themselves up to human error. One example would be their username naming convention which consisted of a combination of characters from the first name, middle name and last name. There are also special cases involving exceptions (if a username was already taken). While working on the IdentityMap for this client they decided they wanted to do some data cleansing as well. So I starting writing rules for excluding problem records. Hundreds of records were out of compliance with their various rules.

So the lesson to learn here is:

continue reading "Manual processes are as good as…"

Image via Wikipedia

I found this LDAP browser/editor to be really good! If you use this on a client and have write privileges be careful about not overwriting anything. Another cross platform browser suggested by Eric is LDAPSoft’s browser.

continue reading "What’s your favorite LDAP browser?"

Image via Wikipedia

Gartner puts out its Magic Quadrant for User Provisioning report Annually. This report identifies the leading players in the Market and provides alot of data on the adoption of Provisioning Identity Products.

the usual suspects: Sun, Novell, Microsoft, IBM are mentioned. Although there areothers major players as well i.e. Courion. The company I work for Identropy gets a mention, in relation to being an innovating force with as a Courion partner.  Understanding these products may give you a practical feel for what role Identity is playng at this point in time.

Read the full report here:
http://mediaproducts.gartner.com/reprints/novell/159740.html

Related articles by Zemanta

• Notes on Presenting to Gartner…and That Magic Quadrant Thing
• Connect Pro a “Leader” Once Again In Gartner’s Magic Quadrant

Image via CrunchBase

I was at a client doing some Identity mapping. They have TIM Tivoli, which had to be mapped against their people soft data. I needed to pull their usernames (eruid), employeeIDs (eradEmployeeID) from objectclass eradaccount (AD stuff), I also had to get their email accounts (which are under a custom objectClass (did not come from AD originally). I was trying to write a VBScript to pull everything. But Unfortunately all the code that’s out there on the web is very AD specific (AD Provider, adspath etc) and was not able to properly run a query from a VBscript to hit LDAP.

So I emailed Charles Ahart a blogger who blogs about his Tivoli experiences. And I tell him about my problem. I mentioned I was trying to pull this data into SSIS to map against their PeopleSoft Employee ID. So VBScript or Vb.net code would work. I was also given access to their DB2 database. That thing is crazy I could connect from SSIS to it, but the data is just all over the place. While I needed just 3 attributes It was so difficult to track them down. Even the Client’s TIM dba couldn’t figure it out. So I thought if I can’t do this with a script, I will have to do it through running a query against the DB2. I think the script would be an easier route to take.

Charles Responded:
continue reading "Mapping Tivoli- Lessons Learnt"

Image via Wikipedia

If you want to understand identity Management, you have to first be able to analyze the problems surrounding coorporate identities today. Courion, an identity software vendor (I recently completed training on their product), held an event where they presented their product. An attendee wrote:

Observations from Converge:

- The main industry vertical customers attending were financial and health care.   User provisioning is a key issue and it is very expensive to do manually

- RoleCourier is gaining traction as customers are using it to avoid complexity, excessive roles, and political situations that arise when doing role-based provisioning

- ComplianceCourier is getting a lot of interest for its capability to enable business managers to periodically review and verify employee access rights

- There was a great customer presentation from Goodyear Tire and Rubber Corporation, where they discussed a previous failed attempt at implementing IAM, followed by their project with Courion, which is rolling out very smoothly.  One interesting note: a focus on educating and motivating users to appreciate the new system really pays off.

continue reading "Understanding Identity Part 1"

Image by FHKE via Flickr

When doing Identity Management integrations its very important to properly train consultants/integrators. While shadowing is a good way to get someone aquainted, its even more important to provide hands on training. Dedicating an entire machine for each employees testing purposes becomes difficult quickly.

Virtualization helps eliminate the resource intensive requirements of having all that hardware. Plus it allows you to deal with multiple environments and makes reusing an entire insallation as easy as copy and paste.

In an earlier post I had mentioned that you can setup a VMWare test server using VMWare on Linux as a Development Sever for multiple users.

I followed this link to recently install VMWare 1.0.7 on OpenSUSE 11. Before doing anything update your linux installation from Yast or run the following command in terminal: apt-get update . Run all updates (and do this frequently). Then grab the latest version of VMWare Server from Vmware.com. After unzipping the file these are the commands you should run in terminal and these are the results you should get. The trick is getting your dependencies right. If you get an error along the way just search for that library in yast, or do a google search on the library that is missing and find out how to install it from the terminal. After installing the libraries start the process again. I had to install the latest version of gcc to make this work.

continue reading "Installing VMWare on Linux"

To conclude my thoughts on the training. I thought I would include some screenshots so you can see Sentinel in action for yourself!

To sum up, the way Sentinel works is:

1. Logs are pulled into Sentinel and each line is seperated into events with severity levels ranging from 1 to 5
2. You define filters to look for events of interest. For example a filter might look like:
   filter(((e.DeviceCategory = “IDS”) and (e.Severity >= 4)))
3. Multiple Events can be groups together and marked as incidents. Each incident can be assigned a category and can be assigned to a person for further investigation
4. Utilizing Filters a correlated event can kick of an action (or trigger) such as sending an e-mail, appending a list, appending an ldap attribute or kicking off a javascript file (for further flexibility)
5. ProcessWork Flows can be designed to dictate the logic behind how an event is handled. The chain of command can be worked into the work flow. I.e. when a correlated event takes place ad Analyst can be prompted to check out the incident. Once the analyst attempts to rectify the problem and closes it out. It then can go to an Administrator who can further investigate or close out the incident.

This is the process in a nutshell, if you follow the screens after reading the explanation it might make more sense.

continue reading "Novell Sentinel Training Day 4"

Image via Wikipedia

Alright Day 3 of Sentinel training was pretty good. We reviewed performing actions when a correlation rule is met on an event filter.  We also learned about “solution packs”.  A little bit about how they are structured, but mainly how to import, edit and redeloy them. We were shown the PCI DSS solution pack. I must say it was pretty comprehensive, which is sold for $30K by itself. We also were given a sales presentation breaking down the scope of Novell’s ISM (Identity and Security Management) products. It was explained to us that ISM is now one of Novell’s 3 focuses. Any supported products will fall under their main areas of focus. They also mentioned that they did very well this final quarter which is about to end for them. That’s really good news for Identity Management, especially at a time when the economy is not doing well. We also heard from some attendees in the training course that IBM is also doing very well. And of course IBM has its own Identity Management suite. So even more good news for Identity Management. The sales rep explained that Identity Management was initially seen as a sub-area of focus for IT departments and was not seen as being under security. But now Identity Management is seen more as being under security rather than traditional IT because of the specialization that goes into it.

continue reading "Novell Sentinel Training Day 3"

What a day! I have a headache, not because of the material or anything. Before I talk about what we did today I was thinking of sharing some usecases with you on where Sentinel would be highly beneficial to have. Imagine someone who is not an Administrator attempts to login as administrator, wouldn’t you want to know? If there were repeated login failures on a very important server or someone was trying to access a port which was designated for something important. Or Imagine an administrator assigns a non-administrator certain rights which are out of the oridnary you might want to know. An example that came up in class is: Someone who logs in at a Bank, withdraws or transfers a large amount of cash, and then changes their password. If a combination of such an event happened, imagine having a rule in place where an alert was triggered. All of these use cases were mentioned in the training so far.

Today we spent alot of time on writing correlation rules, learning the syntax (expressions and other things) which are unique to the sentinel product. We also spent a large ammount of time learning the administrative tools.

Due to my headache, Ill be more detailed in the next post.