Okta End-to-End Identity Management: From Access to Governance

(Feb 28, 2019 BBQ&A Presentation)

WebSphere SAML SP for ISIM SSO

Use Case

Provide Federated single sign-on (SSO) capabilities for IBM Security Identity Manager without the use of IBM Security Access Manager. IBM’s documentation for ISIM explicitly defines how to configure SSO with the use of ISAM’s WebSEAL Authentication. After further investigation and prototyping, SSO capabilities using a third party IdP (Okta) have been successfully implemented into a live environment.

 

How to Configure

To configure single sign-on with the WebSphere SAML SP, Trust Association Interceptor and third part IdP, complete the following steps:

1.      Deploy WebSphere SAML SP

WebSphere supports SAML web SSO and serves as the service provider for ISIM. WebSphere will consume the SAML Assertion from our IdP and establish a security context for the user into ISIM.

2.      Configure WebSphere Trust Association Interceptor

Enable Trust Association for the Assertion Consumer Service deployed with WebSphere. The TAI will validate the request from a third-party IdP and will then perform an identity lookup to verify the user exists in ISIM.

3.      Configure ISIM for SSO

To reiterate, the Knowledge Center documentation for ISIM states you are required to use IBM Security Access Manager to accomplish SSO, but this is not the case. There are a few properties that must be configured to prepare ISIM for SSO. Once these properties are enabled, the ISIM console and ISIM self-service login pages will be expecting SSO as the method of authentication.

4.      Configure ISIM Security Domain

The deployment of the ISIM application creates its own security domain, named ISIMSecurityDomain. For ISIM to invoke the TAI there are three TAI properties which must be set within the ISIM security domain. These properties tell the security domain to leverage the TAI which contains the triggers, login URLs, and other ID mapping properties to complete SSO.

**NOTE** Application security is enabled by default for ISIM. For any application using TAI, application security must be enabled.

5.      Enable Trust Association Interceptor

Once the Assertion Consumer Service, Trust Association Interceptor, and various properties are configured the next step is to enable the TAI for Global Security.

Assumptions

There are a few key assumptions to completing the configuration of the WebSphere SAML SP and SSO.

  • Knowledge of deploying WebSphere middleware applications
  • Certificate management
  • Preconfigured and functioning IdP
  • Understanding of Security Context for WebSphere applications
  • General understanding of SAML

 

 

 

 

Joshua Moore
PathMaker Group Consultant

Strategic Planning For Identity Management

Keith Squires, President and CEO PathMaker Group

Strategic Identity and Access Management projects can be difficult and the new challenges with mobile, social, and cloud compound the problem. Protecting the perimeter is not enough anymore. Safeguarding identities are the key to a truly secure enterprise.

The industry has seen way too many train wrecks with IAM. To get beyond basic capabilities and really use IAM systems as a foundation for strategic IT, a company MUST take the time up front to consider the long-term plan. Near-term, immediate priorities can be solved with client-based single sign-on, basic provisioning, simple roles and audit reports. But with a short-term (and maybe short sighted) plan, a company can just as easily limit their ability to solve more complex problems.

IAM in the Cloud is all the rage in the press these days. Surely this approach will fix the problems! Although some aspects of managing an IAM solution can be improved by outsourcing the infrastructure, many other areas within the organization need to line up to make it work. IAM in the Cloud is no silver bullet. A company still has to fix broken business processes. Trying to define, streamline or automate these processes simply brings many current flaws into focus.

Foundational capabilities, architectures, and processes take time to get right. And even when you get it right, organizational adoption is not guaranteed. A company needs CIO-level support, a champion who really understands and advocates for improvement, and a support staff that can really execute to make it happen. And even when everything lines up, unfortunately we’ve seen management changes frequently upset a plan well before it takes hold.

Many companies may decide to choose a perceived safe route and hire the software vendor to also implement the solution. This can work, but we’ve also seen plenty of attempts end with less than stellar results. Does the vendor have a strong, proven implementation methodology, experienced architectural skills, long-term resource teams who have a history working well together? More often than not, a client expecting an experienced cohesive team ends up with a quickly assembled group of contractors from any number of staffing agencies. And even if a strong group of technical resources is assembled, they must also have the analytical skills to identify and solve broken business process issues.

PathMaker Group has been working hard as a systems integrator since 2003. Those early years we spent some time learning and shaping the way we approached these projects. The next few years we worked hard to hire, train and build a long-term staffing model. The last few years we have hit a stride where we have done some of the best work in our history. I would venture to say some of the best work in the industry. Our recent projects have been some of the most involved, complex, and yet still successful, in our ten years of helping our clients.

We have had our hands in almost every IAM vendor solution. These solutions continually evolve with the market and the needs of the customer. New vendor products continually emerge. These market leading products from SailPoint, IBM, Oracle, Centrify and others are extremely capable and complex. Staying current requires the committment to continually train our people. It takes significant investment to learn new vendor products, but this is what our customers require of us as a great partner with the right professional skills.

But implementation problems can occur even with good software solutions. Long-term planning, strong architectural guidance, proven implementation skills, a company champion with management backing these are all essential in the success of a strategic IAM program. If your company can get there, the benefits of a foundational, strategic IAM solution will be clear and your organization will line up to get on board.

Read More

 

Overcoming the Complexities of Securing Health Data

The healthcare industry is rapidly evolving. Among the many significant industry changes are the ongoing mergers and acquisitions, the proliferation of accountable care organizations, and the integration of multiple health IT vendors into day-to-day hospital operations. Couple these changes with the fact that more patients are accessing their healthcare records electronically, and providers must cope with growing demand for sharing highly-sensitive patient data between organizations and individuals. However, with increasing demand comes increasing risk, particularly with information security and regulatory compliance. To ensure timely and proper access to applications, files and data, providers must navigate through a myriad of hurdles.

Multiple Authoritative Sources

Many provider organizations have multiple authoritative sources including human resource applications (HR), electronic health record systems (EHRs), learning management applications (LMS) and physician credentialing applications often referred to as MSOW. These and other systems and applications are deemed by the provider organization as the true source for defining user identity and access rights. However, having to manage multiple identity sources and their access rights creates difficulty in ensuring consistent execution of policies and resource optimization.

Diverse User Population

Within the healthcare-provider setting, there is typically a diverse and transient population that requires access to health information as part of their regular workflow. This may include hospitalists, employed staff, contracted physicians, students, volunteers, vendors, etc. Ensuring the right people have the right access at the right time is a daunting task. However, the consequences for not doing so can create security gaps with serious financial and operational repercussions.

Multiple Roles (Personas)

Personas – individual roles or bundles of entitlements – help to build an identity by defining the different ways in which an individual engages a provider organization. In some cases, an identity may have multiple personas. Consider the healthcare provider ecosystem where physicians, nurses, professors, researchers, contractors, volunteers and students are just a handful of job functions that may be present in one hospital. Yet many individuals can perform more than one function during any given day. To illustrate, a unit clerk in the emergency department may also be a nursing student who is doing a clinical rotation in the ICU. A physician may have an outpatient clinic in the morning and perform research work in the afternoon. Also, nurses may float between departments. To complicate matters, many of these functions can be transient.

Disparate Processes

User access is not always managed by any single department or team. At the same time, it is often managed through functionality native to the specific application. This creates disparity in processes that lead to security gaps and unnecessary burden on IT administrators and application owners. From a workflow perspective, the disparate systems and processes could affect clinical care. For instance, due to accidental oversight, a contracted physician may be given access to the EHR, but not the enterprise content management system where scanned clinical media and photos are stored. As a result, the physician’s efforts to fully-understand a patient’s condition and provide timely care may be delayed.

How to Effectively Address the Complexities

Identity governance is the key to enabling the organization with a single centralized view of an individual identity’s access across the provider organization. It streamlines
processes for determining who should have access to what and when. Identity Governance enables providers to achieve the following:

DISCOVER: Gain visibility and control of the entire spectrum of diverse data users
• Discover and determine who has access to what, when, and how access is to
be granted.
SIMPLIFY: Create a simplified and consistent approach to allow for multiple and desperate authoritative sources
• Eliminate difficulties in ensuring consistent execution of security access policies.
MANAGE: Organize multiple personas of any single identity.
• Avoid critical security gaps (such as segregation of duty violations) that may occur
particularly in the provisioning and deprovisioning process.

Through identity governance, providers can better cope with the complexities associated with the current healthcare IT ecosystem, and successfully scale to future requirements.

To get more details about identity governance for the healthcare environment, Contact PathMaker to coordinate a free demonstration.

 

Source: SailPoint eBook Overcoming the Complexities of Securing Health Data © 2017 SailPoint Technologies, Inc.

 

 

Why All The Emphasis On Insider Threats? Three Reasons:

Centrify Logo1. Insider security risks are more prevalent and potentially more damaging.

According to a study conducted by the Ponemon Institute, 34% of data breaches in the U.K., come from malicious activity, including criminal insiders, and 37% of breaches come from employee negligence. A previous Ponemon study indicated that a third of malicious attacks come from criminal insiders. Further, a Forrester study revealed that 75% of data breaches were caused by insiders, most often due to employee negligence or failure to follow policies. The most-often cited incidents were lost devices, inadvertent misuse of sensitive information and intentional theft of data by employees. The impact of data breaches and downtime, whether caused by insider malice or negligence, can cripple an organization, exposing it to lost revenue, significant brand damage and increasingly onerous regulatory fines and penalties.

2. User identity “blind spots” are causing audit failures.

Many organizations are failing audits because of blind spots in their identity infrastructures. Blind spots can occur when identities and entitlements are managed in disparate silos or on local servers rather than centrally. For example, one of the biggest identity challenges for companies — and a major cause of failed audits — is a lack of visibility into local administrator accounts on Windows. This is akin to the root account on a Linux/Unix system. Failed audits can be particularly damaging in today’s environment, in which regulations related to data loss and data protection are becoming more rigorous around the world. Companies that conduct business globally have to be in compliance with a wide range of rules and regulations to satisfy audit requirements.

As such, organizations must be able to provide proof that users who have access to certain servers and applications are actually authorised users. They must also be able to deliver an auditable trail of what each user has done within the server. These requirements mean organizational policies need to apply the principle of “least privilege access,” whereby users log in as themselves and have only those privileges needed to do their jobs. If they need to have their privilege elevated for some reason, that is an explicit action.

3. Organizational complexity is posing a growing challenge.

Managing employee identity used to be relatively easy: A user was typically sitting at a desktop with a single machine connected to an enterprise application through a single wire. Ah, but things have changed. Users are now mobile and using a wide range of devices, some of which may be unsanctioned or undocumented personal devices. And mobility is only one aspect of the heightened complexity. IT infrastructures are increasingly diverse and heterogeneous, with multiple silos defined by departments, applications, operating systems or other characteristics that set them apart from one another. The proliferation of virtualization and cloud services adds additional layers of complexity to the IT environment. Without a solution to unify user identities, organizations face the prospect of having too many identities, thus raising too many identity-related risks — including data loss, data breaches, application downtime, failed audits and an inability to identify and rectify internal security problems before they escalate.

Savvy IT and security managers are recognizing that the most cost-efficient and effective way to address these challenges is to incorporate a solution that provides insiders with a unified identity across all platforms. By linking access privileges and activities to specific individuals, the IT organization can establish the control needed to minimize security risks, along with the visibility required to achieve compliance.

© 2013 Centrify Top 3 Reasons to Give Insiders a Unified Identity. 

Centrify is a PathMaker Group partner providing advanced privileged access management, enterprise mobility management, cloud-based access controls worldwide.  The Centrify Identity Service provides a SaaS product that includes SSO, multi-factor authentication, enterprise mobility management and seamless application integration.  The Centrify Privilege Service provides simple cloud-based control of all privileged accounts and provides extremely detailed session monitoring, logging and reporting capabilities.  The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure. Centrify is a Leader in The Forrester Wave, Q3 2016.

 

Recertification Health Check – 6 Steps

The regulatory push toward formal recertification of entitlements and privileges finds many enterprises in new compliance territory. PathMaker Group Chief Architect Jerry Castille shares six critical best practices to ensure strong governance.

1) Identify Target Applications: Collecting an inventory of applications that fall within the scope of a certification campaign’s requirements is the first step in a successful certification process. This inventory will detail application information relevant to the execution of your campaign.

2) Gather Accounts & Grants: For each application identified, I work with your team to determine the optimal approach for the extraction of accounts and group/role memberships from each target. If necessary, we will work with your team to develop a process for the normalization of this data into machine consumable output.

3) Entitlement Definition Workshop: Using our guided workshop format, we will work with your team of application and business process owners to define the set of entitlements within each application that will need to be certified. At the end of these workshops, your team will be enabled to define and maintain an inventory of items within each application that require access certification.

4) Gather Authoritative User Data: At this step of the process, PathMaker works with your organization to identify the individuals that will be included in the certification process. This includes individuals whose access is being certified, individuals approving access, as well as system owners that will be approving accounts that can not be directly associated with a human user (orphan and service accounts.)

5) Import Campaign Data: All of the work up to this point has been to develop a reusable set of processes that can be re-used to facilitate the adoption of a robust enterprise governance product. During this step,  import the data gathered during previous exercises into the PMG Certification Toolkit for analysis. Upon completion, execute your certification campaign.

6) Execute Campaign: Using the parameters defined during our workshop, a good toolkit will produce actionalble analytics for approvers and system owners within your organization. Participants will then “Certify”, “Revoke”, or “Modify” each entitlement that requires their approval. Once an approver completes their certification tasks, the data is imported back into the toolkit.

7) Measure Results: After importing analytics into the toolkit, a report is generated with any entitlements that will need to be revoked or modified. This report can be used by your organization to drive administrative activities required to remove any unnecessary entailments from your user population.

Compliance or Agility? (Why Not Both?)

The increasing number of disclosed security breaches has recently shifted the public’s attention away from compliance. While no longer a hot topic in the news, compliance is still a major focus for enterprises. However, most CIOs aren’t measured on how compliant the business is – their success is measured in how much value they bring to the organization. But no matter how much revenue they generate or operational savings they find, CIOs are well aware of the catastrophic fallout that can result from compliance missteps. Unfortunately, compliance often includes putting processes and controls around the same initiatives that enable companies to grow and adapt – initiatives that result in the measurable value that position CIOs for success. So how do you choose between compliance or nimbleness? And should you even have to?

Often, a choice between two options requires a compromise. The difficulty lies in either choosing to lose money to compliance violation fines (regardless of the time and resources then spent to become compliant) or improve revenue by building a business intended for growth? Identity governance helps with both.

Controlling and managing identities empowers the company to easily achieve compliance while providing a foundation for business growth and agility.

The Power of Automation

Compliance presents a challenge to enterprise CIOs in two ways. The first is obvious: today’s enterprise ecosystem is complex. You have a growing amount of digital assets in various locations. Users are added every day, with many operating as contractors and other types of users that are external to the organization. Keeping tabs on all these elements can be overwhelming.
Many organizations have cobbled together manual or semi-automated controls in an attempt to gain the visibility required to address regulatory requirements. While it gets the job done, the management and administration costs to run these programs can be exorbitant.

Simply put, compliance is expensive and time-consuming. But you must do it, even if it doesn’t do much to advance the business. In fact, the cost and resources required to manage user access – a key metric in regulatory reviews and audits – can actually divert attention from initiatives that will empower the business.

To make compliance a strategic enabler for the business, you must automate it. Taking it off your plate saves measurable amounts of time and money that can be applied to more business-driven initiatives. The only way to automate compliance is with identity governance. See all the applications, users and systems in your ecosystem. Know, at a glance, who has access to what. Manage user access based on roles or functions without requiring human intervention. Reduce the risk of human error. Get valuable hours back in your day.

The Power of Simplicity

If automated identity governance is good, simplified identity governance is better. Cloud-based identity governance multiplies the benefits of automation by making it easy. There’s no hardware to buy, no software to upgrade and no maintenance of any kind to be done by your IT team. In addition to saving hours per month by automating compliance processes, you can save even more time by eliminating the management of your identity governance solution.

Furthermore, in order for IT to become a tool for business empowerment, CIOs are streamlining their teams. They are hiring business-savvy workers with a broader skill set versus a deep bench of technical knowledge. Moving your identity governance into the cloud and removing the burden of managing the solution means that these teams can put their focus on initiatives that drive the business forward.

SailPoint’s Cloud-based Identity Governance Can Help

Cloud-based identity governance simplifies the process of automating compliance activities so that business can get back to what they do best – running their business. SailPoint’s IdentityNow enables you to achieve complex compliance requirements with a powerful identity governance solution that requires zero maintenance, upkeep or technical management. With IdentityNow, you no longer have to compromise between focusing on compliance or building an agile business.

© 2016 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are trademarks or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries.
All other products or services are trademarks of their respective companies.