Posts

Role-based Identity Management Best Practices

Image
This is a white paper that I put together a few years ago for a large financial organization that was struggling with how to approach RBAC or role-based identity management without having the new AI and machine learning capabilities with some of the new IGA solutions such as SailPoint IdentityAI. Introduction Role-Based Identity Management and Role-Based Access Control (RBAC) has long been the nirvana of Identity & Access Management programs since the concept of distributed systems was introduced. The idea of aligning access needs to the business functions that users fulfill and streamline provisioning of that access has proved to be a constant challenge in terms of both IT operational efficiency as well as Compliance, Risk and Security needs. This paper aims to address the challenges for effectively managing role-based access and identify best practices to help organizations achieve better IT efficiency, reduce risk and increase security for their users, data and applications. Rol...
Post a Comment
Read more

Leveraging Azure MFA with CyberArk

Image
Posting this here for future reference. We had a customer that wanted to leverage Azure MFA for authenticating users (IT Administrators) to CyberArk for accessing servers and checking out privileged credentials. CyberArk has two mechanisms to support this: 1) RADIUS authentication or 2) SAML authentication. We initially attempted to implement RADIUS authentication using Microsoft's Network Policy Server with the Azure MFA plug-in but threw up the white flag after many hours of debugging network packet captures. In the end we implemented this use case using Azure SSO to provide SAML-based single sign-on to CyberArk. RADIUS authentication is a bit more "legacy"but has been the de facto protocol for step-up authentication use cases for many years. I won't get into the history of RADIUS but it has been around for a very long time (almost as long as the internet) and is widely used for network authentication such as to an IPSEC-based VPNs and 802.11X based Wireless network...
Post a Comment
Read more

The Business Value for IAM AI

Image
Several IAM vendors have either released or are working on integrating artificial intelligence (AI) and machine learning (ML) into their Identity Governance and Administration (IGA) products. Beyond the marketing hype of artificial intelligence, what exactly does AI and machine learning give us? The Access Decision Dilemma Access certification campaigns has been a staple of information security programs since we have had to spell SOX. The ability to prove that managers and/or application owners have reviewed existing user's access on a regular basis is foundation of keeping auditors happy and keeping board members out of jail. So, what exactly is the issue? It's that satisfying risk and compliance requirements is only a passing grade. To really achieve security we need to ensure that users only retain the access that they need to perform their job (i.e. least privilege).  Doesn't conducting regular access reviews achieve this? To answer this question, let...
Post a Comment
Read more

Conquering User Provisioning with Okta Workflows

Image
I just got back from Okta's SKO this week and one of the major technical focuses was on the new Okta Workflows engine which is currently in EAP (early adopters program). Workflows is a new component of the Okta Advanced Identity Lifecycle Management (ILM) offering that enables organizations to perform complex logic triggered by joiner, mover and leaver events such as the creation of a new user, an employee transferring a different department, a user being added to a group or being terminate in an HR system. There are many more events than this but this gives you a flavor. When these events are triggered, Okta workflow can perform any number of actions such as sending an email, assigning a personal folder in a file management solution like Box or SharePoint (among others), and assigning the user to a Slack channel. Okta workflows follows an event-based model: "When this happens" -> "If this" -> "Do This" -> "Do That"        ...
Post a Comment
Read more

What I've been up to

It's been almost ten years since I have posted anything here and well I want to bring this blog back to life. My original thought was to post random notes on technical issues as well as solutions and well life got busy. When I first started this I was an independent IAM consultant/architect and focused on IBM technology (ISIM, ISAM, etc). I have since joined Sirius Computer Solutions (2015) and took the reigns as the principal architect for our IAM practice. It's been a wild and fun ride building a small practice with less than 10 customers to a large and successful part of our overall $820M security business completing more than 100 implementation projects a year. More importantly we have grown from a single vendor expert implementation team to a customer focused IAM consultancy supporting over 18 vendors in the IAM space including IBM, SailPoint, Okta, Duo, Microsoft, Micro Focus, SecureAuth, Ping, One Identity, Idaptive, RSA, Radiant Logic, Saviynt, CyberArk, BeyondTrust, Ce...
Post a Comment
Read more

Load Balancing Web Services with WebSEAL

I came across this bit of information from an old email from several years ago, and wanted to capture it here for future reference. In case you're thinking of using a WebSEAL server as a proxy for a web service based application (SOAP or REST), there are some details you need to be aware of in how you tune your servers for a successful implementation. The advantage to using a WebSEAL server for proxying web service traffic is that you can enforce authorization based on the client ip address (typically a client web application). This isn't as strong of security as performing authenitcation and authorization using WS-Security or SAML, but if these options aren't available, WebSEAL can increase the security by only allowing certain ip addresses to access the application using POPs (Protected Object Policies). What you have to be aware of is the fact that the client opening the connection to the WebSEAL server is typically another application. This creates a problem if th...
Post a Comment
Read more

DB2 How to Empty a Table

Much better explanation of my previous post: http://db2nerd.blogspot.com/2008/08/db2-how-to-empty-table.html
Post a Comment
Read more

DB2 Miscellania

We (the current project I am working on) are in the process of migrating an existing ITIM database from Oracle 10g to DB2 9.1. This is still a work in progress, and something I want to write about simply because it hasn't been done (to the best of my knowledge). Not even the ITIM engineers I checked with have ever heard of a customer converting their database after the fact. In any case, I have had to learn a little more about DB2 and one of the more useful tasks that I've had to learn is how to clear all of the records out of a table. My first attempt was to simply call  ' DELETE FROM TABLE '. This may work for small tables, but does not work for larger tables, simply because DB2 has to keep a transaction log in case of a rollback. If the size of the table is larger than the size of your transaction logs this simply does not work. As an alternative, you can use an import statement such as: ' IMPORT FROM /dev/null OF DEL REPLACE INTO TABLE '. This does an im...
Post a Comment
Read more