I had blogged earlier on the one the issue of the idm one liner I came up with: “Your manual processes are as good as the errors they produce”. Often when my colleagues and I are embarking on an identity management project we  become intimately acquainted with our clients data and manual processes. It is not uncommon for us to find ourselves in a situation where we don’t have good data to work with when doing Identity Mapping. What I mean by good data is: Having user records across target systems that match up on a unique ID across the systems. Think of this as a universal Employee ID number. Now if everyone did this Identity Management integration work would be simple and straight forward. But more often than not integrators have to bend over backwards to figure out how to “map” these records. Let me give you an example. Imagine having 5 Roberts in your Human Resources data (usually your authoritative source).  While they may have unique last names, many people with common first names might have common last names i.e. Robert Thomas. Secondly even these two fields in an environment where there is bad data will have multiple spellings of the name. So Robert can also be Robbie, Rob, R-dizzle. Same goes with Mike, Michael, Mikey etc. If a unique ID number was used across systems these minor spelling mismatches wouldn’t matter because you would just look for a matching ID.

continue reading "Bad Data can change sides"

This wired.com blog article explains how a 18 year old hacker who’s been hacking for 3 years now was able to hack into a twitter admin account (using a pw guessing tool/dictionary hack) and then use and admin PW reset feature to give away passwords for 33 accounts including the accounts of President Elect Barack Obama, Britney Spears, and Fox News. This incident goes to show that:
continue reading "Password Guess and Reset hacking"

Check out the new Identropy Identity Management Blog. Or subscribe to the rss feed.

I recommend this resource to anyone who would like to learn about Identity Management. It is particularly geared towards those who want to learn about the basics of Identity Management. The Identity 101 series is particularly insightful. The various aspects of Identity Management (provisioning, single sign on etc) are covered and use cases are given to help illustrate the need for finding solutions.

Ash asked for Idm one-liners so here’s one for you: Your Manual processes are as good as the errors they produce. Recently I was working with a client that had various rules in place concerning employee Identities. The problem was they were relying on manual processes to enforce them thus opening themselves up to human error. One example would be their username naming convention which consisted of a combination of characters from the first name, middle name and last name. There are also special cases involving exceptions (if a username was already taken). While working on the IdentityMap for this client they decided they wanted to do some data cleansing as well. So I starting writing rules for excluding problem records. Hundreds of records were out of compliance with their various rules.

So the lesson to learn here is:

continue reading "Manual processes are as good as…"

Image via Wikipedia

I found this LDAP browser/editor to be really good! If you use this on a client and have write privileges be careful about not overwriting anything. Another cross platform browser suggested by Eric is LDAPSoft’s browser.

continue reading "What’s your favorite LDAP browser?"

Image via Wikipedia

Gartner puts out its Magic Quadrant for User Provisioning report Annually. This report identifies the leading players in the Market and provides alot of data on the adoption of Provisioning Identity Products.

the usual suspects: Sun, Novell, Microsoft, IBM are mentioned. Although there areothers major players as well i.e. Courion. The company I work for Identropy gets a mention, in relation to being an innovating force with as a Courion partner.  Understanding these products may give you a practical feel for what role Identity is playng at this point in time.

Read the full report here:
http://mediaproducts.gartner.com/reprints/novell/159740.html

Related articles by Zemanta

• Notes on Presenting to Gartner…and That Magic Quadrant Thing
• Connect Pro a “Leader” Once Again In Gartner’s Magic Quadrant

Image via CrunchBase

I was at a client doing some Identity mapping. They have TIM Tivoli, which had to be mapped against their people soft data. I needed to pull their usernames (eruid), employeeIDs (eradEmployeeID) from objectclass eradaccount (AD stuff), I also had to get their email accounts (which are under a custom objectClass (did not come from AD originally). I was trying to write a VBScript to pull everything. But Unfortunately all the code that’s out there on the web is very AD specific (AD Provider, adspath etc) and was not able to properly run a query from a VBscript to hit LDAP.

So I emailed Charles Ahart a blogger who blogs about his Tivoli experiences. And I tell him about my problem. I mentioned I was trying to pull this data into SSIS to map against their PeopleSoft Employee ID. So VBScript or Vb.net code would work. I was also given access to their DB2 database. That thing is crazy I could connect from SSIS to it, but the data is just all over the place. While I needed just 3 attributes It was so difficult to track them down. Even the Client’s TIM dba couldn’t figure it out. So I thought if I can’t do this with a script, I will have to do it through running a query against the DB2. I think the script would be an easier route to take.

Charles Responded:
continue reading "Mapping Tivoli- Lessons Learnt"

Image via Wikipedia

If you want to understand identity Management, you have to first be able to analyze the problems surrounding coorporate identities today. Courion, an identity software vendor (I recently completed training on their product), held an event where they presented their product. An attendee wrote:

Observations from Converge:

- The main industry vertical customers attending were financial and health care.   User provisioning is a key issue and it is very expensive to do manually

- RoleCourier is gaining traction as customers are using it to avoid complexity, excessive roles, and political situations that arise when doing role-based provisioning

- ComplianceCourier is getting a lot of interest for its capability to enable business managers to periodically review and verify employee access rights

- There was a great customer presentation from Goodyear Tire and Rubber Corporation, where they discussed a previous failed attempt at implementing IAM, followed by their project with Courion, which is rolling out very smoothly.  One interesting note: a focus on educating and motivating users to appreciate the new system really pays off.

continue reading "Understanding Identity Part 1"

Image by FHKE via Flickr

When doing Identity Management integrations its very important to properly train consultants/integrators. While shadowing is a good way to get someone aquainted, its even more important to provide hands on training. Dedicating an entire machine for each employees testing purposes becomes difficult quickly.

Virtualization helps eliminate the resource intensive requirements of having all that hardware. Plus it allows you to deal with multiple environments and makes reusing an entire insallation as easy as copy and paste.

In an earlier post I had mentioned that you can setup a VMWare test server using VMWare on Linux as a Development Sever for multiple users.

I followed this link to recently install VMWare 1.0.7 on OpenSUSE 11. Before doing anything update your linux installation from Yast or run the following command in terminal: apt-get update . Run all updates (and do this frequently). Then grab the latest version of VMWare Server from Vmware.com. After unzipping the file these are the commands you should run in terminal and these are the results you should get. The trick is getting your dependencies right. If you get an error along the way just search for that library in yast, or do a google search on the library that is missing and find out how to install it from the terminal. After installing the libraries start the process again. I had to install the latest version of gcc to make this work.

continue reading "Installing VMWare on Linux"

To conclude my thoughts on the training. I thought I would include some screenshots so you can see Sentinel in action for yourself!

To sum up, the way Sentinel works is:

1. Logs are pulled into Sentinel and each line is seperated into events with severity levels ranging from 1 to 5
2. You define filters to look for events of interest. For example a filter might look like:
   filter(((e.DeviceCategory = “IDS”) and (e.Severity >= 4)))
3. Multiple Events can be groups together and marked as incidents. Each incident can be assigned a category and can be assigned to a person for further investigation
4. Utilizing Filters a correlated event can kick of an action (or trigger) such as sending an e-mail, appending a list, appending an ldap attribute or kicking off a javascript file (for further flexibility)
5. ProcessWork Flows can be designed to dictate the logic behind how an event is handled. The chain of command can be worked into the work flow. I.e. when a correlated event takes place ad Analyst can be prompted to check out the incident. Once the analyst attempts to rectify the problem and closes it out. It then can go to an Administrator who can further investigate or close out the incident.

This is the process in a nutshell, if you follow the screens after reading the explanation it might make more sense.

continue reading "Novell Sentinel Training Day 4"