I'm approaching noon of my first morning at The Experts Conference (TEC).
During introductions this morning, Gil Kirkpatrick, who founded the conference years ago while at NetPro (acquired by Quest), reiterated the conference commitment to provide training and support for industry experts in Active Directory, Exchange, and now Sharepoint as well.
Adding to that support and bringing it beyond the annual conference is The Experts Community. I'll try to get more on that, but the idea is obviously a community of knowledge sharing that goes beyond basic training into in-depth knowledge sharing for expert-level practitioners.
And the audience has already proven that they fit the description of experts challenging speakers and presenters in each session. This is NOT a conference where vendors could put up a marketing presentation and hope nobody notices some omission or flaw in the underlying technical approach.
As an example, someone stood up and asked Conrad Bayer (Microsoft's General Manager of Identity and Access) during his keynote about a slide he had put up during the presentation. The slide indicated that small businesses would be faster to adopt cloud solutions because they were less concerned with security and privacy. So, the question was important. Is that true? Does Microsoft believe that small businesses care less about security and privacy? And also - is Microsoft saying that cloud solutions are inherently less secure? Bayer clarified that small businesses are certainly concerned and that the slide content was probably referring to customer perceptions around security driving those decisions - and not actual security implications.
He also went on to confirm that Microsoft is working toward creating security symmetry between cloud and on-premise solutions to eliminate the concerns about security when moving solutions to a cloud model.
...more to come.
Security for the Digital Transformation: Cloud, Data, Identity & Access.
Monday, April 26
Thursday, April 8
Governance the next Era of Identity Management
Ben Goodman, in an Intelligent Workload Management article, notes that there's a coming paradigm shift in the world of compliance. He talks specifically about the new trend of turning to identity management solutions for help with compliance. We heard more about this trend from Dave Kearns in his discussion on SailPoint expanding its Access Governance solutions into the Identity Management space and Courion doing the inverse.
I spoke to an analyst recently who was hoping to see additional convergence between identity management, access governance, and compliance solutions. I think we can probably all agree that it would be nice. In my opinion, we're at least a few years out from that. Not because of technology, but because we need customer demand to drive it. And this is all so confusing, I don't think many organizations have come the Buddha-like realization of what an ideal identity and access state would look like for them.
Mr. Goodman can correct me, but I boil his point down to one easy statement:
Start with Security and compliance will follow.
I published a paper in late 2007 in which I discussed creating a Culture of Compliance leveraging frameworks for a Multi-Regulatory Approach (it's still on the NetVision site if you're interested). Essentially, I was making the same points as Goodman. Tech professionals get really wrapped around the axle on mapping specific controls to specific regulations. But, that's a recipe for unnecessary cost, effort, and frustration.
If you must do mapping, map to a single framework and then show how that framework meets the requirements in the numerous regulations you may be facing. But an even better approach is to look at each of your critical systems and:
a) Secure them to satisfaction
b) Enable auditing to prove that security is real
We've gotten a lot better at part A. Security assessors can poke holes, identify weaknesses, and provide best-practices to get an environment to a pretty secure state. But part B means both answering the big question who has access to what? and monitoring activity to ensure that a secure state is maintained. Even in secure, locked-down environments, someone has access to sensitive information. And that needs to be watched.
If you can quickly provide answers on part B, compliance should be easier, and less costly. Even without a 30 page spreadsheet showing mappings of each control to each section of every regulation.
I spoke to an analyst recently who was hoping to see additional convergence between identity management, access governance, and compliance solutions. I think we can probably all agree that it would be nice. In my opinion, we're at least a few years out from that. Not because of technology, but because we need customer demand to drive it. And this is all so confusing, I don't think many organizations have come the Buddha-like realization of what an ideal identity and access state would look like for them.
Mr. Goodman can correct me, but I boil his point down to one easy statement:
Start with Security and compliance will follow.
I published a paper in late 2007 in which I discussed creating a Culture of Compliance leveraging frameworks for a Multi-Regulatory Approach (it's still on the NetVision site if you're interested). Essentially, I was making the same points as Goodman. Tech professionals get really wrapped around the axle on mapping specific controls to specific regulations. But, that's a recipe for unnecessary cost, effort, and frustration.
If you must do mapping, map to a single framework and then show how that framework meets the requirements in the numerous regulations you may be facing. But an even better approach is to look at each of your critical systems and:
a) Secure them to satisfaction
b) Enable auditing to prove that security is real
We've gotten a lot better at part A. Security assessors can poke holes, identify weaknesses, and provide best-practices to get an environment to a pretty secure state. But part B means both answering the big question who has access to what? and monitoring activity to ensure that a secure state is maintained. Even in secure, locked-down environments, someone has access to sensitive information. And that needs to be watched.
If you can quickly provide answers on part B, compliance should be easier, and less costly. Even without a 30 page spreadsheet showing mappings of each control to each section of every regulation.
Tuesday, February 23
"Automated Provisioning Machine" (in quotes)
I like the cartoon at this Imanami blog entry. It's funny and makes a clear point about identity management (provisioning) solutions. I'll let them make the point rather than re-write it here. But like the old cliche says, a (moving) picture is worth a thousand words.
Friday, February 12
Identity Governance is not One Size Fits All
I read an article this morning written by SailPoint's Darran Rolls titled How Identity Governance Solves the Compliance. Aside from my feeling that the title was either cut-off or misprinted, the article makes a lot of sense. Rolls writes:
This is exactly what I've been spending my time on at NetVision. One difference though. Much of Rolls' article focuses on the topics of platform coverage and correlation. While our solution scales and is deployed well into the Fortune 500, most of the organizations we speak to are turned off by the complexity involved with integrating numerous platforms.
NetVision's focus is on core network systems - Microsoft and Novell. That's Active Directory or eDirectory, which hold network user accounts, security groups, and some other entitlements based on account attributes -- and the associated file systems, which are a breeding ground for unauthorized access of sensitive information. Our goal is to be simple and easy to use, with no requirement for in-house expertise on access rights. And we get results on day one.
I'm not trying to give a pitch. My point is that Identity Governance is important. But, it's not one size fits all. While some organizations are looking for the solution with the broadest range of platform coverage and are willing to accept the inherent complexity, many are looking for easy-to-use, simple-to-own solutions that cover core networking platforms.
Who Has Access to What? is the question of the year. Tools that enable you to audit, monitor, alert, and report on access rights are a must-have for driving down audit costs and improving your ability to answer that question. We're entering the next wave in Identity Management. And it's not a pie-in-the-sky utopia of federated identity with built-in governance (yet). It's real-world solutions for answering the question of year with zero effort.
The identity management landscape is changing. The need for stronger auditing controls is giving rise to identity governance tools that are supplanting ID provisioning solutions as the centralized management layer for identity.and later makes the point that:
This ability to translate technical identity data into business-relevant context is a critical advancement from old-school provisioning technology.Yes and Yes.
This is exactly what I've been spending my time on at NetVision. One difference though. Much of Rolls' article focuses on the topics of platform coverage and correlation. While our solution scales and is deployed well into the Fortune 500, most of the organizations we speak to are turned off by the complexity involved with integrating numerous platforms.
NetVision's focus is on core network systems - Microsoft and Novell. That's Active Directory or eDirectory, which hold network user accounts, security groups, and some other entitlements based on account attributes -- and the associated file systems, which are a breeding ground for unauthorized access of sensitive information. Our goal is to be simple and easy to use, with no requirement for in-house expertise on access rights. And we get results on day one.
I'm not trying to give a pitch. My point is that Identity Governance is important. But, it's not one size fits all. While some organizations are looking for the solution with the broadest range of platform coverage and are willing to accept the inherent complexity, many are looking for easy-to-use, simple-to-own solutions that cover core networking platforms.
Who Has Access to What? is the question of the year. Tools that enable you to audit, monitor, alert, and report on access rights are a must-have for driving down audit costs and improving your ability to answer that question. We're entering the next wave in Identity Management. And it's not a pie-in-the-sky utopia of federated identity with built-in governance (yet). It's real-world solutions for answering the question of year with zero effort.
Thursday, December 10
Effective Access Rights on a Single Server
If you're not familiar with the term effective rights, it refers to the calculated rights that result from the number of different permission settings applied via group memberships, nested groups, hierarchical permissions, object ownership, and other considerations. NetVision's latest product is now available in a Single Server Edition (SSE) to provide effective rights reporting on (you guessed it) a single server for a very reasonable price ($795 per server).
Special Offer for Blog Readers!
Give Access Rights Inspector SSE a free trial on your own server. If you decide to buy, use the promo code "access10" until Dec 31, 2009 to get $300 off the price and pay only $495 to generate an unlimited number of effective rights reports on a single Windows Server. This can save an enormous amount of time during security audits.
Revenue Opportunity for Bloggers
We're looking for affiliates. Post a link from your blog and get 15% for each sale. That's ~$120 at full price. If you're lucky, you'll make that in a year with Google Adwords. Sell a dozen servers and you'll be picking out a brand new flat screen TV (maybe one of those backlit LED displays) ...or maybe making a down payment on a new car? It's easy. And it's a useful product. Give it a try for yourself and let me know if you're interested.
Special Offer for Blog Readers!
Give Access Rights Inspector SSE a free trial on your own server. If you decide to buy, use the promo code "access10" until Dec 31, 2009 to get $300 off the price and pay only $495 to generate an unlimited number of effective rights reports on a single Windows Server. This can save an enormous amount of time during security audits.
Revenue Opportunity for Bloggers
We're looking for affiliates. Post a link from your blog and get 15% for each sale. That's ~$120 at full price. If you're lucky, you'll make that in a year with Google Adwords. Sell a dozen servers and you'll be picking out a brand new flat screen TV (maybe one of those backlit LED displays) ...or maybe making a down payment on a new car? It's easy. And it's a useful product. Give it a try for yourself and let me know if you're interested.
Thursday, December 3
Querying AD from SQL Server
This is a great how-to article on querying Active Directory from within SQL Server. I've written in the past about using Virtual Directory technology to query SQL data via LDAP. This is the reverse and I can envision many use-cases where this would be useful. This isn't exactly new technology, but it's a new write-up on how it's done and very easy to follow.
For example, you could use this approach to extend the information available to an application without doing any data synchronization or introducing new data sources. If the application's logon ID is the user's email address, you could query AD based on that email and get info about the user's group memberships, attributes, manager, location, etc. and have that returned to the application as if the data were stored in the local app's database.
...another useful approach to keep in your development toolbox.
For example, you could use this approach to extend the information available to an application without doing any data synchronization or introducing new data sources. If the application's logon ID is the user's email address, you could query AD based on that email and get info about the user's group memberships, attributes, manager, location, etc. and have that returned to the application as if the data were stored in the local app's database.
...another useful approach to keep in your development toolbox.
Labels:
Active Directory,
AD,
LDAP,
software design,
synchronization,
virtual directory
Tuesday, November 24
Windows File System Access Rights
I recently did some research into how Windows networking environments apply access rights across file systems. I've been in the IT business for more than a decade. So, if asked, I probably would've told you that I already know how it all works. But, there are a number of intricacies and things I didn't know -- like how security policy can override local NTFS permissions or how Windows doesn't always enforce the most restrictive policy. It seems that Windows enforces permissions based on what it believes to be the administrator's intent, which is interesting.
I published a whitepaper describing all the details. It describes how the controls work and covers the affect of group memberships, inheritance, deny ACEs, the owner attribute, and more. And of course, it provides some guidance for taking control of all that complexity.
You can register for a copy here:
http://www.netvision.com/offer
I published a whitepaper describing all the details. It describes how the controls work and covers the affect of group memberships, inheritance, deny ACEs, the owner attribute, and more. And of course, it provides some guidance for taking control of all that complexity.
You can register for a copy here:
http://www.netvision.com/offer
Thursday, November 12
The End of Internet Security
Remember all that stuff I said about how we already have an end-to-end security solution that ensures that users are connected to the right web site and that there's no eavesdropping going on? Well, you can scratch all that.
I knew there was a User Experience problem with SSL in that most people ignore that it's happening and therefore don't notice when it's not happening. I also knew that there are known potential attacks on SSL, but it seems there's a newly discussed renegotiation problem that makes the whole system seem suspect. This posting from RSA does a good job at providing an explanation.
This is a big deal. SSL really IS web security. So many other security solutions rely upon it -- assuming that communication is safe and secure because it's done over SSL. Even if all the major vendors get a fix out tomorrow, we'll probably see this problem around for years to come.
I knew there was a User Experience problem with SSL in that most people ignore that it's happening and therefore don't notice when it's not happening. I also knew that there are known potential attacks on SSL, but it seems there's a newly discussed renegotiation problem that makes the whole system seem suspect. This posting from RSA does a good job at providing an explanation.
This is a big deal. SSL really IS web security. So many other security solutions rely upon it -- assuming that communication is safe and secure because it's done over SSL. Even if all the major vendors get a fix out tomorrow, we'll probably see this problem around for years to come.
Subscribe to:
Posts (Atom)