Identity Stuff

Posting this here for future reference. We had a customer that wanted to leverage Azure MFA for authenticating users (IT Administrators) to CyberArk for accessing servers and checking out privileged credentials. CyberArk has two mechanisms to support this: 1) RADIUS authentication or 2) SAML authentication. We initially attempted to implement RADIUS authentication using Microsoft's Network Policy Server with the Azure MFA plug-in but threw up the white flag after many hours of debugging network packet captures. In the end we implemented this use case using Azure SSO to provide SAML-based single sign-on to CyberArk. RADIUS authentication is a bit more "legacy"but has been the de facto protocol for step-up authentication use cases for many years. I won't get into the history of RADIUS but it has been around for a very long time (almost as long as the internet) and is widely used for network authentication such as to an IPSEC-based VPNs and 802.11X based Wireless network...

Several IAM vendors have either released or are working on integrating artificial intelligence (AI) and machine learning (ML) into their Identity Governance and Administration (IGA) products. Beyond the marketing hype of artificial intelligence, what exactly does AI and machine learning give us? The Access Decision Dilemma Access certification campaigns has been a staple of information security programs since we have had to spell SOX. The ability to prove that managers and/or application owners have reviewed existing user's access on a regular basis is foundation of keeping auditors happy and keeping board members out of jail. So, what exactly is the issue? It's that satisfying risk and compliance requirements is only a passing grade. To really achieve security we need to ensure that users only retain the access that they need to perform their job (i.e. least privilege).  Doesn't conducting regular access reviews achieve this? To answer this question, let...

I just got back from Okta's SKO this week and one of the major technical focuses was on the new Okta Workflows engine which is currently in EAP (early adopters program). Workflows is a new component of the Okta Advanced Identity Lifecycle Management (ILM) offering that enables organizations to perform complex logic triggered by joiner, mover and leaver events such as the creation of a new user, an employee transferring a different department, a user being added to a group or being terminate in an HR system. There are many more events than this but this gives you a flavor. When these events are triggered, Okta workflow can perform any number of actions such as sending an email, assigning a personal folder in a file management solution like Box or SharePoint (among others), and assigning the user to a Slack channel. Okta workflows follows an event-based model: "When this happens" -> "If this" -> "Do This" -> "Do That"        ...

It's been almost ten years since I have posted anything here and well I want to bring this blog back to life. My original thought was to post random notes on technical issues as well as solutions and well life got busy. When I first started this I was an independent IAM consultant/architect and focused on IBM technology (ISIM, ISAM, etc). I have since joined Sirius Computer Solutions (2015) and took the reigns as the principal architect for our IAM practice. It's been a wild and fun ride building a small practice with less than 10 customers to a large and successful part of our overall $820M security business completing more than 100 implementation projects a year. More importantly we have grown from a single vendor expert implementation team to a customer focused IAM consultancy supporting over 18 vendors in the IAM space including IBM, SailPoint, Okta, Duo, Microsoft, Micro Focus, SecureAuth, Ping, One Identity, Idaptive, RSA, Radiant Logic, Saviynt, CyberArk, BeyondTrust, Ce...