Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Conclusion

Centrify LogoAn IDaaS solution can prove to be a tremendous time saver,  improve user satisfaction and IT productivity and addresses many of the shortcomings associated with password sprawl. When considering an IDaaS solution, partner with a vendor that can deliver on all of the top IDaaS considerations discussed in this paper and select an IDaaS solution that can centrally authenticate users with their Active Directory identity without replicating to the cloud, that unifies mobile and app access management, is ready for your enterprise globally and one which gives IT valuable insight into which applications and how devices are used and when — restoring lost visibility and control. In doing so you will reap many important benefits including:

Centrify uniquely unifies cloud app and mobile engagement.

  • Improved user productivity and satisfaction:  Make users productive day one without extensive manual checklists and time consuming helpdesk calls. Reduce the number of times a user has to remember and self-manage passwords, and make it easier to self-service access to all of their apps, devices and identity.
  • Reduced helpdesk costs:  Return value in improved productivity and as much as a 95% reduction in app account and password reset calls.
  • Lower app lifecycle costs:  Through turnkey provisioning for apps and by tightly integrating with Active Directory the delivery of app single sign-on and mobile security is more cost efficient because IT uses existing technology, skillsets and processes that are already in place.
  • Improved security:  IT can remove users’ access to all business-owned cloud and on-premises applications by simply disabling their Active Directory account, which is already a common practice at the time an employee leaves the company. And unlike other solutions, it does not duplicate your existing identity data into the cloud and out of your control — it remains secure inside your corporation.
  • Reduced compliance costs:  IT can remove users’ access to all  business-owned cloud and on-premises applications by simply disabling their Active Directory account, which is already a common practice at the time an employee leaves the company. And unlike other solutions, it does not duplicate your existing identity data into the cloud and out of your control — it remains secure inside your corporation.

 

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 6 of 6

6. Built for Global Enterprises

When it comes to Identity and Access Management as a Service (IDaaS), enterprises and government organizations should look at young start-ups with a healthy dose of skepticism. Whether your corporate identity is in the cloud, on-premises, or a hybrid of both, you want assurance that you can trust the provider as a stable, long-term partner. As key metrics, you should look for a company that has been around for at least 10 years, has an established base of customers among major enterprises, such as the Fortune 50 and is proven to support global
enterprises and major government entities.

You should also look for other signs of an enterprise-class provider, such as a worldwide network of redundant and secure datacenters. This is particularly important when doing business in places such as some European countries that have tough and unique privacy laws. Also look for global capabilities, such as localization into major languages and 24×7 global support. Finally, an enterprise-class partner should provide only solutions that comply with SSAE 16 SOC 2, TRUSTe, and EU Safe Harbor.

Centrify’s zero-downtime architecture delivers
regional datacenter preference and automatic
support for 15+ local languages.

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 3 of 6

Centrify Logo3. Complete App Access Lifecycle Management

When a user is new to the organization or takes on a different role within the company, an IDaaS solution should make it easy — and automatic — for you to provision users to cloud or on-premises apps with automated account creation, role-based license and authorization management, single sign-on, mobile app client management and automated account deprovisioning. This automation frees up your precious few IT resources and empowers the user to be productive sooner than through existing and often manual onboarding checklists.

Full app access lifecycle management offers key benefits, enabling IT organizations to save time and money by automatically creating user accounts across cloud apps for new employees. Provisioning can eliminate helpdesk calls by allowing you to deploy the right apps — with the right access — the very first time. Provisioning eliminates any follow-on tasks by IT for enabling the user, and also eliminates user confusion. Automatic identity federation provides single sign-on to those apps, without requiring multiple passwords that can be easily lost, stolen or forgotten. Role-based licensing and authorization management for key apps such as Office 365, Salesforce, Box, and more further reduces your IT burden and allows you to quickly get users productive. The same capabilities make it possible to offboard users automatically (disabling or removing users from a group triggers user account de-provisioning) ensuring security and compliance by removing access immediately, removing mobile client apps and their data, instantly deactivating app accounts, and freeing up app licenses.

Centrify manages the complete lifecycle for
app access including account provisioning,
federation for SSO, mobile app management,
centralized visibility and complete deprovisioning
when the users changes roles

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 2 of 6

2. Identity Where You Want It

An IDaaS solution also needs to be flexible, providing robust access to corporate identities managed on-premises (e.g., Active Directory or LDAP), a directory service in the cloud for non-AD users such as partners or customers, and when appropriate, a hybrid of the on-premisesand cloud directories. This is in stark contrast to other startup IDaaS vendors who only allowyou to store identity data in their cloud directory. In order to leverage user data stored andmanaged in Active Directory, they first require that a portion of this data be replicated to their cloud and out of your control.

This cloud-only approach may not appeal to some organizations that — rightly or wrongly —
have concerns about losing control of the proverbial keys to the kingdom. Organizations may
also have reservations of creating another silo of identity to manage, unique security or privacy
concerns, or legitimate concerns about the long-term viability of the vendor.

To enable this “identity where you want it,” a well-engineered IDaaS solution should deliver
robust integration with on-premises Active Directory or LDAP, should support cloud-only
deployments consisting of non-Active Directory or LDAP -based user identities, as well as a
hybrid of Active Directory, LDAP, and / or cloud deployment.

Active Directory support should offer built-in integrated windows authentication (IWA) without
separate infrastructure and should automatically load balance and failover without any
additional infrastructure or configuration. Most importantly, it should not replicate Active
Directory data to the cloud where it is out of the organization’s control — even if you choose to
manage some of your users via a cloud model.

The diagram below shows the deployment options an IDaaS solution should support. As you
can see, this hybrid approach gives you the best of both worlds in terms of flexibility.

Contact Us for more information on your IDaaS or Centrify Solutions. 

Top Six Things to Consider with an IDaas Solution – Blog 1 of 6

1. Single Sign-On

Single Sign-On (SSO) is the ability to log into an app (cloud-based, on premises, or mobile app)
every time using a single/federated identity. For consumers this identity can be their social
media identity, such as Facebook or Google, while an enterprise identity is typically the user’s
Active Directory ID. Without SSO, users need to remember complex passwords for each app.
Or worse, they use common or easily remembered (i.e. weak) passwords. For users, the result
is a frustratingly fragmented workflow, which can include signing into dozens of different apps
during the workday. For IT, the problems of too many passwords, or insecure passwords, are
obvious—with a costly data breach ranking at the top among concerns. A properly architected
SSO increases both user productivity and corporate app security.
So what should you look for when deploying SSO? At the simplest, a solution should enable
you to improve end-user satisfaction and streamline workflows by providing a single identity
to access all business apps — whether the apps reside in the cloud, or on-premises behind
your firewall. It also needs to unify and deliver access to apps from all end-user platforms—
desktops, laptops and mobile devices.
In a properly architected system, once users authenticate by logging in with their enterprise ID
(e.g., Active Directory) they should enjoy one-click access to cloud, on-premises or mobile apps.
Remote access to on-premises apps should be just as simple as accessing cloud apps: without
requiring VPN hardware or client software. This type of SSO — using standards like SAML — will
not only reduce user frustration and improve productivity but also enhance security. Federated
SSO is better because it does not transmit the user name and password to the app over the
network, but instead sends a time-limited and secured token verifying that the user who
is attempting access is known and trusted. In addition, by eliminating the use of passwords
and their transmission across networks, you can reduce the likelihood of users locking their
accounts and calling the helpdesk, eliminate password risks such as non-compliant and usermanaged passwords, and make it possible to instantly revoke or change a user’s access to apps
without an admin having to reach out to each and every app.

Contact Us for more information on your IDaaS or Centrify Solutions.

 

5 Things to Consider with Multi-Factor Authentication

Chris Fields, VP of Security Strategy

 

Multi-factor authentication (MFA) is becoming a mandatory component of a secure identity and access management landscape.  You know you need to implement MFA and are contemplating where to start and what other considerations need to be evaluated.  Below are 5 things to consider on your MFA journey that will 1) save you time, 2) prevent rework and 3) avoid frustrating end users:

1. MFA Server

The MFA server is the “brain” that drives all policy decisions and functionality.  Think of it as the horse you choose to ride on your journey to the MFA finish line.  Flexibility to provide multi-factor (something you know, have or are), risk-based, step-up or other advanced access capabilities are key.  This “brain” should have broad out of the box integrations to various endpoints to maximize use of its capabilities in all facets of your identity and access management landscape. The MFA Server should be accessible to your on-premise and cloud applications, services and servers. The placement and mix of those endpoints may even determine whether you select an on-premise or cloud MFA server.

2. MFA Clients

The MFA clients are the various devices that end users use to interact with the MFA server for proper authentication vetting.  A capable MFA server will support myriad MFA client devices and identification techniques including desktops, laptops, tablets, mobile phones, grid cards, smart cards, RFID cards, key fobs (OTP), hard tokens (OTP), soft tokens (OTP) and biometric readers (to name a few). Mobile phones are becoming a very popular option because they not only are ubiquitous but also support many of the identification techniques that normally require deployment of additional hardware, especially one-time password (OTP) & biometric options.   Be sure to confirm support for all the client devices that are most common in your organization to minimize challenges with leveraging your MFA server before you make your selection.  Also, make sure you select the right identification techniques based on your user populations and factor in the deployment time and complexity.

3. VPN Integration

Remote access is typically the first use case out of the gate for MFA integration.  Most companies already have a VPN gateway in place so it becomes the first “stake in the ground” for making your MFA server decision.  Ideally you would pick your MFA server first, to maximize the capabilities I described in the MFA Server and MFA Client considerations, but reality isn’t always so neat and clean.  You may be lucky to have had your VPN software long enough to be at an inflection point, where the current technology is due for an upgrade or replacement and it makes sense to re-prioritize your VPN selection based on your MFA selection.  This is where going with a capable MFA Server yields the benefit of a wide range of out of the box integrations with popular VPN platforms.

4. PIM Integration

Privileged Identity Management (PIM) integration is typically the next integration point for MFA.  VPN integration ensures that the user and device are vetted properly to connect to the network remotely, but once on the network, both internal users and external users need to strengthen their authentication to servers for privileged access.   Instead of integrating each server individually with your MFA solution, integrating through a Privileged Identity Management gateway is becoming a more popular alternative.  Similar to the VPN integration scenario, ideally you would select your MFA solution first and maximize integration options with popular PIM solutions.

5. Access Management Integration

Application Access Management integration is usually the next integration point for MFA.  Having an access management solution in place is a best practice for managing access to applications, especially web applications.  Integrating your MFA solution with an access management solution provides an efficient mechanism for providing MFA capabilities at the individual application level. Since access management solutions form the authentication and authorization backbone for internal and external applications, this essentially extends your MFA capability to internal and external users in a very efficient manner.

Conclusion

Taking these 5 considerations into account when you are looking at your MFA solution will lead to a much less bumpy road for your administrators and end users.  The end result will be a consistent MFA end user experience for your users across the enterprise and a sound technical approach to solving the most common MFA use cases.

Request additional information here. 

Start With The End In Mind: Blog #7 – Lower the Cost of Compliance

SailPoint logo(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)

Compliance can be complex and difficult — and as a result, costly. Meeting industry and regulatory mandates requires organizations to regularly review and certify user access privileges. This leaves many companies constantly battling with error-prone and inefficient processes such as manually generating access reports and manually remediating inappropriate user access privileges. Signs that show you need to cut compliance costs include:

  • Building or leveraging multiple, homegrown solutions to handle audit and compliance needs
  • Hiring full-time staff or consultants to handle compliance projects like access certifications and SoD policy enforcement
  • Using inefficient tools like spreadsheets and email to drive manual compliance processes
  • Treating high-risk and low-risk users the same, where insufficient attention is given to high-risk users, or too much time and effort is spent on low-risk users.

To gain better control of your identity and access data, including centrally defining policy and risk and automating your access certification process, you need to replace expensive paper-based and manual processes with automated tools. By doing so, not only can you significantly reduce the cost of compliance, you can also establish repeatable practices for a more consistent, auditable, reliable and easier-to-manage access certification effort. If you struggle to effectively implement compliance processes and integrate them into your systems and infrastructure, a governance-based identity and access management solution is the launching pad you need to improve your effectiveness and reduce the costs of sustainable compliance.

Check back for blog #8, Salvage or Replace an Existing Provisioning System

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here. 

Security Directory Integrator – Custom SQL for JDBC Connectors

By Joshua Moore, PathMaker Group Consultant

Security Directory Integrator, formally known as Tivoli Directory Integrator, is a powerful tool that we often use to bulk load data into ISIM. Security Directory Integrator, otherwise known as SDI, has the capability of transforming data of one type to another. One of the challenges is querying specific data from a database source. For example, we often use a SDI to match existing system data to another source based on a User ID, Employee ID, or some type of unique identifier that is maintained in both systems.

 

For the purposes of this blog entry we will focus on the JDBC Connector provided with the standard SDI installation/configuration. As shown in “Figure 1” the connector properties are relatively standard. Providing the required connection parameters and connection to the database should be seamless.

Figure 1:

 

With connection properties configured link criteria can be provided to match input data, also known as “work,” and matched to data within the connected table. To provide the custom SQL to the database connection Lookup we will need to bypass the standard “Link Criteria” and feed in custom JavaScript back on the Connections tab as shown above. Leave “Link Criteria.”

Figure 2:

Context for this Example

In order to provide more context around this scenario, here is the background on the task at hand. A report (csv format) has been provided with a list of server names and supporting content. These server names have been abbreviated in ways to encompass more than one unique value, such as a wildcard character (i.e. myservername*001 or myservernamedev*.) The wildcards therefore denote only one instance in the report when realistically there could be multiple servers for all related supporting content of the report. For this scenario, the wildcard must be translated into a manner in which SQL can look up related server names and output the unique servers for each wildcard value.

 

To provide the JDBC connection with a custom SQL statement we need to tell SDI to use advanced JavaScript for the connection. On the connection tab for JDBC connector there is an “Advanced” option (Figure 3) below the standard connection criteria. 

Figure 3:

Connection Tab – Advanced Options

In this Advanced section, confirm that “Use custom SQL prepared statements” check box is checked. This tells SDI to use custom JavaScript and bypass the Link Criteria. The next step is to provide the custom JavaScript. Click on “SQL Lookup.” It does not look like much of a link but it will launch a new window (Figure 4). In this new window, you will provide the JavaScript to create, format, and customize your SQL to be used as “Link Criteria” for the JDBC connector.

 

As for our scenario, we are querying server names that have asterisks (*) as wildcard characters to denote more than one unique server. If you are familiar with SQL syntax you know that these asterisks cannot be used in a SQL query as wildcard characters. As noted in Figure 4, the SQL must be returned in a “string value.”

Figure 4:

Custom SQL Statement for JDBC connector:

 

Conclusion

There are a variety of use cases for providing custom SQL to complete the JDBC Connectors connection criteria. This simple example, although not exhaustive, was chosen to demonstrate how to provide the connector with the appropriate custom SQL using JavaScript. There is always potential for more work around types of “Link Criteria” to provide, but hopefully this will get you started on the right path.

Start With The End In Mind: Blog #6 – Eliminate Audit Deficiencies and Improve Audit Performance

(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)

Identity management is a focal point for IT audits and one of the areas most commonly flagged for ineffective controls. During many Sarbanes-Oxley (SOX) audits, weak identity controls often receive negative audit findings in the form of control deficiencies or material weaknesses.

Here are some of the most common identity risks auditors are looking for:

  • Orphan accounts: Access that remains active for employees or contractors after termination due to failure to remove privileges
  • Entitlement creep: The accrual of privileges over time through transfers, promotions or other changes in roles resulting in employees with access beyond their job requirements
  • Separation-of-duty (SoD) violations: Inappropriate access resulting in excessive control over business transactions or the ability to perform conflicting duties
  • Poorly managed privileged user accounts: Anonymous accounts that are typically the domain of privileged users are managed using manual processes and are very difficult to audit
  • Lack of visibility into access by job function: Business users struggle to interpret technical IT data to make business decisions about what access is required to perform a specific job function.

If you’ve failed an audit due to weakness around any of these identity risks, we have good news. The right identity and access management solution will improve your visibility into risky or noncompliant areas and automate your processes for managing these risks. An enterprise-wide view of your identity data can help you to effectively analyze risk, make more informed decisions and implement the appropriate controls in an automated and more sustainable fashion. Further, aligning user access with job functions through an enterprise role model can strengthen user access controls by providing valuable business context around how specific sets of access map to the underlying business function being performed by an individual. The result? Less chances of negative audit findings or failing another audit. More chances of seeing audit performance improve over time.

Check back for blog #7, Lower the Cost of Compliance

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here. 

Start With The End In Mind: Blog #5 – Reduce The Cost Of Managing Access Change

(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)

Managing the complex relationships between thousands of users and millions of access privileges continues to be a daunting and expensive task for most organizations. Changes to user access are initiated, approved and implemented using fragmented, disjointed processes. Coupled with the fact that in most organizations, the processes and tools used to request or change user access are highly manual, the result is an inefficient and costly execution of access requests and changes. Does your organization wrestle with the following problems when fulfilling access changes across enterprise IT systems?

  • Multiple front-end processes are used by the business to request new or change existing access privileges
  • Heavy reliance on help desk or IT admins to assess and implement access changes
  • Manual processes are required to facilitate changes to user access
  • Different provisioning/deprovisioning processes are used for different applications

If these situations sound familiar, it’s time to take a different approach. You need to centralize the delivery of access across disparate IT resources spanning both the datacenter and the cloud and reduce the costs associated with managing the initiation and fulfillment of access requests and changes. The right identity management solution automates identity lifecycle events, such as onboarding new hires and managing job transfers, by directly assigning or changing roles and entitlements to match a user’s current job function. It can also automate removal of access privileges upon termination. By automating these events, organizations can reduce the number of self-service requests initiated by business users, the number of approvals required to grant access, and the number of calls to the help desk. In addition, a centralized solution can orchestrate the automation of changes to access rights for all applications regardless of how “last mile” provisioning changes are performed — via the help desk, a manual process, or an automated provisioning solution.

Check back for blog #6, Eliminate Audit Deficiencies and Improve Audit Performance

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here.