Initial Credential Issuance: An Often Overlooked Area of a Secure Identity Posture

Architecting mature and functional IAM strategies for our clients requires us to frequently reflect on the approaches that we have seen organizations take to solve common (and sometimes mundane) problems. One such such problem is that of initial credential distribution for internal user constituents (employees, contractors, temp workers, etc). How an organization creates and communicates a new user’s credential is really one of the first steps in a chain of maintaining a good security posture in the space of identity provisioning.

non-rep

At the core of this problem is the issue of non-repudiation. Basically, the ability to say that a given account owner was the only person who could utilize their credentials to access any given information system. More information on non-repudiation can be found here.

 

Over the years working in the IAM field, I’ve seen customers approach the problem of getting credentials to newly created users in different ways. Some (surprisingly many) choose to have their IT departments create new user accounts using a known password or formula (such as: <user_lastname><month><day>) in the newly created system. The issue with this approach is that there is no real guarantee that the account will not be used by a third party prior to or after distribution before the intended user begins to use them. This presents an obvious security issue that can be slightly mitigated by requiring a user to change their password after the 1st use. But, even forcing a user to change their password doesn’t completely solve this issue.

 

A more mature approach is to have a random password generated that complies with corporate password policies that is then communicated to the user through the IT department or the user’s manager. This still leaves the issue of non-repudiation, since whoever generates and communicates the credential to the user or manager also has knowledge of the credential. However, this approach limits the knowledge of this credential to only those in the chain of custody of the credential, instead of everyone who has been exposed to the ‘standard known password’ or password formula.

 

The most mature and effective way to address this issue usually involves implementing some sort of ‘account claiming’ mechanism. In this approach, a provisioning system or process generates a random system generated password that is never known to any person. Additionally, a system generated ‘claim token’  is generated that is then submitted to the user that can only be utilized once and within a specific time frame of issuance. The intended user is then directed to visit an internal account claiming site where they are asked for some personally identifying information (PII) along with their ‘claim token’. Once this information is verified, the user is directed to change their password, which is then communicated to the provisioning system and all downstream information systems. Identity provisioning platforms such as those from Oracle, IBM, and Sailpoint all make available the tools required to develop/configure this solution with minimal effort. This approach more effectively protects the integrity of the credential and greatly increases an organization’s IAM security posture with very little overall implementation effort.

 

This article is part 1 of a multi-part series that dives into specific concepts covered during our IAM MAP activities. More information about the Pathmaker Group IAM map can be found here.

 

Directory Object Search

Have you ever wanted to perform an LDAP search in a workflow to check for … well let’s just say a duplicate UNIX UID.
In this example the account add workflow is checking to make sure the Unix UID is not in use by another account. The requirements in this instance are that UNIX UID can only be used once in a service. Once the duplicate is found the next step is up to you but in this case the account add was rejected.

First thing you have to do is expose the dataservices model. Add the following line to scriptframework.properties.

ITIM.java.access.dataservices=com.ibm.itim.dataservices.model.*

Example Script in Workflow Script Node:

This script node is from an Account Add workflow. The script gets the service DN and erposixuid from the new account. The service DN and UNIX UID are used to verify the UNIX UID has not been used before in the same service. The Directory Object Search will search ITIM’s LDAP as you can see from the search base. There are also a couple examples to get the account attributes.

/* Search the current service for an account with the same unix uid */

var myAccount = account.get();
var myPerson = owner.get();

var unixUidMatch = ‘false’;
var dupAccountList = ”;
errorInd.set(‘false’);

/* Get Service DN */
var myServiceDN = myAccount.getProperty(“erservice”)[0];

var myInputPosixUid = myAccount.getProperty(“erposixuid”);
if (myInputPosixUid != null && myInputPosixUid.length > 0)
myInputPosixUid = myInputPosixUid[0];
else
myInputPosixUid = “unknown”;

if (myInputPosixUid != “unknown”) {
/* Search Accounts within Service for unix UID */
var searchFilter = ‘(&(erservice=’ + myServiceDN + ‘)(erposixuid=’ + myInputPosixUid + ‘))’;
var searchBase = ‘ou=accounts,erglobalid=00000000000000000000,ou=XXX,O=XXX’;
var base = new com.ibm.itim.dataservices.model.DistinguishedName(searchBase);

var params = new com.ibm.itim.dataservices.model.SearchParameters();
var search = new com.ibm.itim.dataservices.model.DirectoryObjectSearch();
var results = search.fetch(base, searchFilter, params).iterator();

while (results.hasNext()) {
/* Duplicate Unix UID Found */
var dirObj = results.next().getDirectoryObject();
/* Get Account Object */
var mySearchAccount = new Account(dirObj.getDistinguishedName().toString());

var mySearchEruid = mySearchAccount.getProperty(‘eruid’);
if (mySearchEruid != null && mySearchEruid.length > 0) {
mySearchEruid = mySearchEruid[0];
if (unixUidMatch == ‘true’)
dupAccountList = dupAccountList + ‘ ,’+ mySearchEruid;
else
dupAccountList = mySearchEruid;
}
unixUidMatch = ‘true’;
}

OR

while (results.hasNext()) {
var dirObj = results.next().getDirectoryObject();
var myDupAccountID = dirObj.getAttribute(“eruid”);
if (myDupAccountID!=null) {
myDupAccountID = myDupAccountID.getValueString();
}
}

Using Tivoli Federated Identity Manager to Get What You Want

  1. You want to enhance your company’s business-to-business and business-to-consumer collaborations with centralized user access management through application integration and secure authentication.
  2. You want to improve the experience of users at your company and lower costs through business-to-consumer user self-care and federated access control to on and off premises applications.
  3. You want to enable single sign-on (SSO) for external users to internal applications and for internal users to cloud-based applications.
  4. You want to provide web fraud detection and prevention capabilities through risk-based access control.

You want a lot!!!!!    Lucky for you there is …………

Tivoli Federated Identity Manager (TFIM)

IBM Tivoli Federated Identity Manager is an access-management solution that provides web and federated SSO to end users across multiple applications.  TFIM allows collaboration across an organization’s business ecosystem and plays a key role in businesses extending their application access to business partners, customers and consumers. TFIM provides the ability for internal users to access externally hosted applications, including cloud-based applications and business partner applications. Read more

ITIM Provisioning Policy Priority

A provisioning policy in ITIM (IBM Tivoli Identity Manager) basically grants access and set entitlements to the ITIM managed services based on the provisioning policy membership.

Each provisioning policy consists of information and settings on the following tabs:

  • General
  • Members
  • Entitlements

Of course, there are factors to consider: Role Memberships, service selection policies and policy join behaviors to name a few but this blog is just looking at the value of the required priority attribute.

The priority setting is a required value on the General tab of the provisioning policy configuration.  This is a required numeric attribute and the lower the number the higher the priority of the Provisioning Policy. Read more

Internet Enable your Applications using WebSEAL with Active Directory Authentication

Let’s say you have a set of applications you use within your organization that you want to make available for access from the Internet. Let’s further say you want remote users to login using their Active Directory credentials. That way, there is no additional password maintenance to worry about – for users or for support staff.

Sounds great, but can you pull it off without exposing your organization to the countless threats lurking out there on the Internet?

In most cases, it can be achieved with minimal risk to your systems and applications. Furthermore, PathMaker can help you design and deploy a solution, as well as help you analyze your applications and infrastructure for potential vulnerabilities. Read more

IBM Pulse 2012

Business Without Limits!

Pathaker Group is an IBM Premier Partner with the sales and technical certifications required to sell and implement an ever expanding array of best in class security solutions from IBM. Be sure to put Pulse 2012 on your calendar and stop by the Solution Expo and visit our booth. Business partners and customers will learn how IBM is shaping the IT Security Landscape with newly acquired technologies and integrated solutions to meet the growing challenges that we face.

Check out some info from IBM about Pulse!

Pulse 2012 returns to the MGM Grand in Las Vegas March 4-7, 2012 and we invite you to take part in the action! Experience first-hand how organizations in every industry are using Visibility Control Automation to improve the economics of their business infrastructures and speed the delivery of innovative products and services.

With over 7,000 attendees including industry-renowned speakers, Pulse 2012 is your ticket to hundreds of technology leadership sessions, industry-focused breakouts, and technical skill-building workshops. At this year’s conference you’ll have an opportunity to network with colleagues, participate in hands-on labs, and attend our largest-ever Solution Expo. Don’t miss this significant event!

The Pulse conference is now accepting session submissions! Visit the IBM Speakers page for the timeline, benefits and guidelines, or to answer the Call for Speakers today!” (IBM) Read more

Zombie Attrition Process (ZAP)

Zombies are everywhere; they lurk in existing and new systems. These zombies don’t lust after our blood or consume our flesh. It is much worse than that. These zombies can cause companies to fail audits, they can be used for unauthorized access, and worst of all they can cost companies money. Technically we are talking about lifeless accounts that exist on systems and no one knows who they belong to. To us on “Team ZAP” or the Identity Management team these accounts are known as ‘Orphan Accounts’. I don’t know about you, but identifying and removing Zombies just sounds more fun.

Not the kind of Zombies you’re interested in? If you are wondering for how to prepare for the basic flesh eating zombie apocalypse, visit our friends at the Centers for Disease Control.

 

Picture from: http://emergency.cdc.gov/socialmedia/zombies_blog.asp

If you want information on how to deal with Zombie or Orphan Accounts then keep reading. For full disclosure, dealing with Zombies is not for the faint of heart and I am not saying you wouldn’t get your hair mussed. Here at PathMaker Group we don’t mind getting a bit dirty when we deal with Zombies or Orphan Accounts in this proven approach: Read more

Using IBM Tivoli Identity Manager to Synchronize HR changes to Active Directory

Imagine this scenario. An employee gets married and her last name changes. Human Resources receives the required documentation and updates the employee’s last name. Now that the W2 has been changed, how long will it take this change to get propagated to the email system? How many people will be involved? How many phones calls will be made wondering why the name hasn’t been updated? Shouldn’t there be a simpler process?

With IBM Tivoli Identity Manager (ITIM) this last name change can automatically be replicated to multiple ITIM controlled systems with just the change to HR and without the need of any more human intervention.

ITIM automatically detects the change to the person’s last name and then triggers name change updates to multiple ITIM controlled systems including Active Directory, LDAP and database repositories. These updates occur in real time and the new last name is available for all to see. Read more