Monthly Archives

May 2016

User Productivity Vs IT Security

By | IAM | No Comments

 

Enterprises around the world are facing increasingly more security issues day by day. As a result organizations are considering to improve their security measures. One of the fundamental part of security is to provide ‘Availability’ which ensures reliability and timely access to data and resources to authorized individuals. Necessary protection mechanisms must be in place to protect against inside and outside threats that effect the availability of data and productivity of user.

It sounds to be easy to accomplish than in reality. Providing a balance between security and user productivity is a critical task for security professionals. The end users may not be aware of that following various security measures by the organization is necessary to prevent serious data breaches. The more compliant an organization is, the stronger is its IT security. But on the other hand it will automatically decrease the user productivity. Keeping a balance between security and user productivity is a challenge of all the times.

One way of achieving this is to provide least privileges to users in other words allow access to users only to what they need to do. It seems to be true in providing better solution but it may result to less productivity and frustrated employees. For example if employee is missing access to any resource, in this case according to organization’s security policy it may take days to provide the access which may lead to missing the deadlines.

In this case the frustrated employee may try to choose other alternatives to avoid the security because his/her goal is always to meet the deadlines. Another example is password management. If the security policy forces employees to change their passwords frequently they may end up keeping a sticky note on their PC to remember it, which leads to a security breach. If they forgot their passwords they will be ending up calling helpdesk to reset their passwords leading to decrease in user productivity.

The main idea here is to keep a good balance between security and user productivity. One should not affect other. As a security professional one should not blindly follow the industry best practices instead one should think twice before enforcing any security policy according to organization needs. Think about whom the policy will effect, what extent it will effect and how it will affect the end user.

Four Generations of Identity & Access Management

By | IAM | No Comments

 

Those who have been associated with Identity & Access Management domain for more than a decade would recall Access 360, Netigrity, Waveset & BMC’s Control-SA as the first generation Identity & Access Management solutions. Onboarding and off-boarding users perhaps the biggest use these IAM solutions, later on to be supplemented by managing access on the Web. It could take more than two to three years to have your basic provisioning system going with 4-5 applications

The second generation began with the giants like IBM, CA, & Oracle mostly acquiring smaller companies first time after Identity Management suites that would cost around half million dollars with three times more money sunk in deployment services. They offered more solutions to more use-cases in provisioning & web access management. A set of System Integrators (SI) emerged to help customers implement those solutions in “Time & Material” (T&M) mode. The more project over ran, the more money was made by them. Rare SIs like ILANTUS brought the concepts of Fixed Fee implementations and “Connector Factory” to help customers implement these solutions faster and more economically.

The need for security compliance revolving around “Governance” issues, basically triggered by SOX and other regulatory compliance needs gave the birth to Access Governance in the third generation of IAM solutions. Aveksa and shortly after, SailPoint brought in Access Governance technologies that focused on governance than administration.

The fourth generation of IAM has begun now. Rechristened as Identity Governance & Administration (IGA), this generation is bringing in “IDaaS” (Identity as a Service) a cloud based approach to traditional IAM. While most of the fourth generation IAM vendors offer basic, low value commodity solutions like Single sign on, a few like ILANTUS are offering complete set of IAM solution services that relatively inexpensive and quick to adapt.

The Wonder SSO

By | IAM | No Comments

 

Single Sign On is a common requirement for all organizations today. A large number of web based SSO solutions are available in the market. Unfortunately they can not sign on to legacy & client server applications.

The old techniques promoted by vendors like IBM, Oracle are very expensive, complicated to deploy & manage & do not provide intutive user interface .

The only technology that fulfills all requirements of such customers is from ILANTUS. With 3 patents pending, large number of customers & key analysts giving it full marks Xpress SSO has features no one can beat, incredibly small implementation cycles and easy to use.

It comes at a price which is a fraction of any other solution.

 

Access Certification as a Service

By | IAM | No Comments

The First of its kind in the Industry based on “Pay as you go” proposition.

On analyzing the security audit in the organizations today it can be observed that almost 40% of the security concerns are built around “Application Access” and questions like “who has access to what, “who authorized it”,”is the access actually required by the individual and if not how to remove it”. These are some of the biggest pain points today for IT administrations, applications owners, CFOs and internal auditors.

Talking about attestation technology, it was built some time ago to automated the process of access reviews. Unfortunately like most other IT solutions this one also has been too costly and very difficult to implement and manage.

To solve this problem Ilantus now brings in a solution called “Access Review as a Service”. With this service the entire process can be executed literally at the push of a button.

The entire process is organized into three phases: Information, Decision and Action.

In the Information phase, the system enables you to pick information from large number of applications about who has access to what, down to the granular level of entitlements.

In the Decision phase the captured access details are passed on to the concernedManagers/Application owners/ Roles to decide which entitlements to continue and which ones to revoke.

Finally, in the Action phase the accesses not required are automatically disconnected by the system. A final reconciliation is carried out to ensure all the stated actions have been complied with.

The service hence not only enables you to gather access information and gives you a system to decide on the continuation or revocation but actually enables you to “Action” the decision and reconcile. This closes the loop ensuring you have no undesired accesses left in the system.

There are some additional benefits to it. For example, based on the pattern of access available you would be able to put in place a meaningful set of Roles in the organization.

The whole process for three to five thousand employees and ten to twenty applications can be first time implemented in a matter of a few weeks.

Emerging Trends in IGA / IAM / IDAAS

By | IAM | No Comments

Many new technology areas has hit the the race in recent years to cater new challenges in IAM/IGA space. Governance of unstructured data, mobile device management, advanced privileged user management & SIEM, integration between various IAM components are good examples. Unquestionably the most significant of these developments is IDaaS (Identity as a Service). Most analysts & investors agree with that .

IDaaS is a complex, high entry barrier domain that is st its evolving stage. There are vendors that have come up with no past experience in this domain. They have come to prominence as they have been able to successfully offer commodity solutions like “Single Sign On” which practically have not much difference in use-cases from one customer to another. There is also no or little customization required. On the other hand, larger players are trying to offer IDaaS by way of repackaging the traditional solutions in a new bottle labeled as IDaaS. They seriously lack functionality required for today’s business world. They also offer no solution to growing costs of deployment & support.

There are very few vendors that come from service background & therefore understand the complexity of this domain. Many of them have crafted solutions that have the potential to replace traditional solutions but at a much reduced cost. These vendors such as ILANTUS have come out with products that work in the cloud or on-premise, have out-of-box connectors for integrating with very large number of applications, solutions such as access attestation/re-certification, SSO, password management. More importantly, these vendors can provide “premium managed services” that eliminate the need for customers to make any investment in in-house management. Customers need to understand these emerging trends in order to make wise selections that would make them not repeat the disaster of the past again.

Five things to know about Identity & Access Management

By | IAM | No Comments

 

1) Established IAM Solution do not meet today’s requirements.

Traditional technologies such as IBM, Oracle were engineered more than 10 years ago. In as much as they are proven and comprehensive they may not be suitable to handle today’s needs. Examples are quick on-boarding of cloud applications, easy deployment of access attestation/re-certification solutions. Their technologies such as SSO, password management can truly be archaic.

2) SaaS based IAM solutions are there but needs to be examined carefully.

“All IDaaS solutions are not the same”. The leadership positions are yet to be taken, therefore transforming the rookie of today to the king tomorrow. A set of vendors offer commodity solutions like SSO. But these may not be your long term vendor if you are looking for deep-dive provisioning or access governance solutions that require deep domain experience and service value addition.

3) Service expertise is as important for IDaaS as traditional IAM.

You are not going to work with IDaaS without expert support in customization, operations & support. IDaaS in its basic form only eliminates capital expenditure on software & hardware. The need for expert guidance in areas like assuring smooth operation and chalking out expansion strategies are still needed.

4) Watch out for cost of IDaaS.

You must compare the cost of IDaaS over a five year term. Intangibles like vendor experience in IAM are equally important while doing the comparison. The cost of building incremental features like integrating to more applications, business process changes, etc also must be considered. Many customers are realizing that having these features in “perpetual licence ” mode but delivered in the cloud may be more cost effective.

5) IAM is a garbage in, garbage out technology.

The effectiveness of IGA implementation is only as good as the quality of your data. Cleaning up of orphan accounts and multiple ids, duplications and other basic hygiene factors will eventually determine your success in IGA implementation.

Is my Identity Governance & Administration (IGA) Strategy working?

By | IAM | No Comments

 

We have sunk too much in Identity Governance & Administration (IGA) which included identity management & access governance with little results ?

After three to four years of deployments my IAM does not provision 80% of my applications.

I continue to face audit challenges in spite of massive investment in IAM.

I have never been able to find right people to manage my IAM initiative.

Do of these questions/statements sound familiar to you

Well, it does to a staggering 86% of organizations, as indicated by the result of a global survey conducted in February, 2015. Question is “how do you know whether your pain points are because of your strategy not working”or still worse, do you have a strategy at all or it has been largely a set if knee-jerk reactions to the requirements of your businesses.

Very often IGA strategy is based on visible, immediate pain points analyzed through the lens of outdated technologies that take practically forever to get anything while costing too much.

IDaaS (Identity as a Service) has largely emerged to solve many of the issues. But be aware IDaaS is not mature enough to solve all your problems today. Most vendors are good in providing low value-add commodity solutions like “Single Sign On“. Very few provide solution that can effectively address your provisioning & governance needs, as an example.

So the first step of your IAM strategy, after identifying your pain areas the initiative should be to gather information on what solutions are available. Second, the experience of the vendor in this domain must also be ascertained. Finally, the “ability to execute” must be given high points as opposed just to “vision” of the vendor.

Key Milestones and Issues in The Evolution of IDaaS

By | IAM | One Comment

 

Identity as a Service (IDaaS) today is beginning to show promise. Things that could not be easily done before, using traditional Identity & Access Management products are being promised today under the aegis of IDaaS.

The evolution of IDaaS began from the pain that was being felt by all business organizations across the globe – difficulty in signing on to multiple devices and applications. With the advent of cloud applications and its gaining popularity, corporate houses began taking their own decisions on selection of applications, sometimes even without the involvement of IT department. It was considered impossible in the old world of on-premise applications where the advice, guidance & even approval from IT department was a must.

The emergence large numbers of niche business applications in the cloud saw quick on-boarding of large number of applications on multiple devices. Soon business users were finding it difficult to sign in, as multiple login and password were making it difficult for the users to access multiple applications without hassle. During 2011, a new technology solution emerged “cloud based Single Sign-on” which was a perfect answer to solve the problem. This was the first milestone in the evolution of IDaaS.

On-boarding & off-boarding of users was to large number of cloud applications being the next difficult phase for the enterprises. Adding on to the problem, due to poor off-boarding practices to have a cloud application available to him, even when not required, made companies pay a never imagined huge subscription costs.. CFOs are beginning to get worried looking at the subscription bills. In fact serious thoughts are being given to perpetual licence and private cloud based SSO, driving it towards the second milestone for IDaaS Solutions.

The need to answer identity governance related questions like “who has access to what, who authorized it, is the access really needed are driving the need for Access Governance in the cloud through a totally new service subscription based approach. “Access Certification/ attestation ” seems to be on the demand chart with users beginning to demand for it, initiating it as the third milestone in the evolution.

Four Generations of Identity & Access Management (Story of dissatisfied customers)

By | IAM | No Comments

 

Access 360, Netigrity, Waveset & BMC’s Control-SA could be remembered as the first generation in the domain of Identity & Access Management solution over a decade. On-boarding and off-boarding users was the biggest use of these IAM solutions, later on to be supplemented by managing access on the Web. It could take more than two to three years to have your basic provisioning system going with 4-5 applications.

The race in the second generation began with the horses like IBM, CA, & Oracle acquiring smaller companies to create for first time Identity Management Suites that would cost around half a million dollars (for 3000 users) with three times more money sunk in deployment services. They offered solution to more use-cases in provisioning & web access management. A set of System Integrators (SI) emerged to help customers implement those solutions on “Time & Material” (T&M) mode. The more project over ran, the more money was made by them. Very few systems integrates like ILANTUS brought the concept of Fixed Fee implementations and Connector Factory to help customers implement these solutions faster and more economically. Customers also began looking for SIs to help them manage IAM installations, specially in the SMB sector. Again only a handful of SIs like ILANTUS could develop this capability.

The need for security compliance revolving around “Governance” issues, basically triggered by SOX and other regulatory compliance needs gave birth to Access Governance in the third generations of IAM solutions. Aveksa and Sailpoint shortly introduced Access Governance technologies that focused more on governance than administration.

The fourth generation of IAM begun in the year 2012. Rechristened as Identity Governance & Administration (IGA), this generation is bringing in “IDaaS,” (Identity as a Service) a cloud based approach to traditional IAM. While most of the fourth generation IAM vendors offer basic, low value commodity solutions like Single sign on, a few like ILANTUS are offering complete set of IAM solution services that are relatively inexpensive and quick to adapt.

Customers have largely been dissatisfied so far with the first 3 generation of IAM solutions. Let us hope IDAAS vendors will be able to reverse this trend.