The Amazing Security Race

Have you been watching OTN for these interesting stuff, recently? Some of the links are here. Rest are for you to search, view and have fun.

http://medianetwork.oracle.com/video/player/507047490001

http://medianetwork.oracle.com/video/player/507044358001

http://medianetwork.oracle.com/video/player/507044355001

http://medianetwork.oracle.com/video/player/507042060001

Oracle stays higher and untouchable in the Magic Quadrant

Oracle has kept its innovation higher and better. The latest Gartner's MQ reflects the same.

Oracle Identity Governance - Assets

If you are in the space of Identity Management and work for Oracle products, you certainly want to visit the Assets page on OTN.

In today's market who else provides intelligence to public just as Oracle does? :-)

Attention Sun IdM Customers - "What's Your "Plan B"?

Attention Sun IdM Customers - "What's Your "Plan B"?

This is what Sailpoint says about SUN Identity Manager, its customers and the solutions they can offer to these customers. Interesting read.

It's always sad to see SUN Technologies dying.

epoch conversion tool

What is epoch time?

http://en.wikipedia.org/wiki/Unix_time

Short description from Wikipedia:

Unix time, or POSIX time, is a system for describing points in time, defined as the number of seconds elapsed since midnight proleptic Coordinated Universal Time (UTC) of January 1, 1970, not counting leap seconds.

Where do you find with respect to IAM parlance?

I have found that Sailpoint's IdentityIQ uses this convention for all dates. examples are create date, expiration date etc.

So if you want to understand what are the exact dates?

visit http://www.epochconverter.com/

Password Reset Issues

I regularly read Jackson's Blog and today I found a very interesting post which was talking about a particular presentation in the RSA conference. I recommend everyone to read it. One line I thought should be mentioned here from the presenter's website was ...

It has been estimated that the average cost of a password reset involving a help-desk call is $22

So how much are companies bleeding on password reset calls???

Liferay Symposium 2009

On 5th October 2009, Liferay conducted a symposium in Bangalore at Hotel Leela Palace. My company, Nous Infosystems is a Silver Partner to Liferay.

I had a one hour slot to talk. Myself being an Identity guy, to present something relevant to Liferay, I chose to integrate Liferay with Sun Identity Manager. Post experiment with the integration I have presented a paper on the same.

Highlights:

We leveraged the Liferay API for the following functions

• Retrieve a list of all the Roles available in the Liferay System
• Retrieve a list of all the User Groups available in the Liferay System
• Retrieve a list of all the Communities available in the Liferay System
• Override the User Create function to create user with a given set of parameters
• Create web service calls for all the functions

Using these web services calls we retrieved the list of user groups, roles, communities from the Liferay system dynamically every time Liferay was selected as a resource for any users. Upon combining the policies for mapping roles to communities and User groups, the user was provisioned to the Liferay User table using a webservice; this webservice calls a function which overrides the basic Liferay Api create user function. Similar are updates and deletes.

All comments and discussions are welcome. The presentation can be found here.

Note: The one in the suit is not me :-)

What am I doing?

Yepp, its been sometime that I got uncertain about what should I be doing. Finally I have decided to move a little ahead in Identity and learn somethign on Identity Governance. I am currently working on Sailpoint's Identity IQ implementation for a large bank.

Sailpoint - Identity IQ

Ever heard of Recertifications? I am talking about Access Recertifications which happen in organizations to periodically check who is allowed to access what? This process in many organizations goes this way ...

1. Collect user database from every Application owner across the organization
2. Consolidate the list with respect to managers
3. Send the lists to manager to verify if each of those users require the access to the application with whatever access level specified
4. Once the manager gives his decision, the users' accesses are either revoked or modified for which again its a lengthy process, as everyone acknowledges

Sailpoint's Identity IQ addresses this issue. The product just like an Identity Manager provides a unified view of the entire organizational users, with all the data pertinent to Recertifications. Once the application is configured for all the necessary applications and the user data is in, scheduled Certification Requests can be fired to every manager in the organization. Also the escalations can be handled. The managers can just login to the application and either recertify or revoke or modify user access to every application.

So most of the process is automated now. Don't think its done yet. It also can make SPML calls to any provisioning engine avaialable (not OOB) in the Identity market and thus automatize the complete Recertification process.

Read more about these at Sailpoint

One last thing, if I am not wrong these features are available in the world's renowed ... :-)

Why do companies end up paying huge amounts for Identity Projects?

The sure answer would be indiscipline. Any doubt?

When one starts up a company, least preference is given for IT discipline. No directory implementation, no domains etc which result in a process chaos after few years. Then managements start thinking about bringing things in order and end up not only paying huge amounts to get it straight moreover end up in improper implemenations. I have seen many companies which never had any system according to conventional methods when it comes to user management.

The question that bugs me every moment is why companies do not leverage the open source tools avialable? Directories are avialable in the open, operating systems are available in open, why cant one avail these?

These are my view points:

1. The day the company is christened a directory structure should be in place

2. Every employee record should be present in it.

3. All the available systems in the office should authenticate the user against this directory

4. Employee should be given an option to change his passwords and few other details online

5. Form filling should be avoided on the induction day, instead a webpage should be used and the data should be recorded into a HR database and then should be fed to the directory

6. A small PLSQL trigger on the database can create the email address without conflicts

7. Free Identity tools like SUN Identity Manager should be implemented within one year

8. Every application or tool that the organization needs should be under the perview of Identity Manager

Am I missing something???

I feel these are the basics that one should do for the company's IT wellness in the long run.

An update on ViDT

Today I received a comment on my previous post on ViDT.

"Is VIDT available in Market or from Sun? Could you provide some more detail about VIDT?"

The answer would be ViDT which was previously known as a VIP was the IP of Neogent. This tool makes the implementation of the organizational Identity framework much easier and thus faster. As this tool started achieving popularity, SUN acquired Neogent. Now this tool is used by SUN PS folks to implement the framework faster. This is not available outside for anyone else. SUN has kept it for self :-)

Why IDM initiatives fail?

First check this post


What is said here is true. The people who are building solutions only think of technical issues always, rather than the features which are roots of the organization, viz. Processes and Policies. From an architecting perspective it is very crucial to understand the processes of the organization and then chalk out a plan for work rather than checking out what can be done by the product.

I feel, technologically everything is possible, with the only two constraints - TIME and MONEY. If a space shuttle can be sent to MARS, then an Identity implementation is possible, with or without the chosen product's features. However the feasibility of a solution with respect to time and money has to be planned when one architects.

Just my thought ...

Metaview deprecated - SUN Identity Manager 8.0

The best thing I feel SUN developers did was they removed the Metaview feature. This reportedly had couple of bugs and I was once caught by them :-(

SUN Identity Manager 8.0 is released

SUN Identity Manager 8.0 is out

For all the enthusiasts - come download and experience the amazing product

A brief overview of this release:

Sun Identity Manager 8.0 is the latest version of the Sun Identity Manager product offering with expanded Role support, enhanced reporting capabilities, and updated resource adapter and application server support. This update improves upon the industry-leading Identity Manager 7.1 solution with:

# Role Enhancements

• Role life cycle management can require approvals on Role creates, edits and deletes, and Role changes can be applied to all assigned Users.
• User-to-Role life cycle management improvements enable support for future and temporary Role assignments.
• Default Role types including Business Roles, IT Roles, Applications, and Assets are now provided to encourage best practices with regards to Role management.
• Business Roles can contain roles required by all, conditional for some, and optional (by request and optional approval) for others. A Business Role designer can define coarse grain access, while delegating to the user or a manager the ability to fine tune the access within the scope of a Business Role.

# Enhanced Reporting with Data Exporter

• Manager operational data can be made available for use by other processes and applications.
• Data held by and flowing through Identity Manager can be periodically exported to a customer-managed data warehouse or third-party business intelligence and reporting tools.
• Exported data can be used to answer historical questions regarding 'Who had access to a system, and who approved that access?'. It can also be used to provide reports on operational behavior over time, such as 'Provision Operations by Resource' and 'Workflow Approval Response Times'.

# Attribute Configuration

• Extended, queryable, and summary attributes can now be configured for roles as well as users.
• The new extended attribute configuration supports specification of value syntax (STRING, INT, DATE, or BOOLEAN), whether the attribute can have a single or multiple values, and a text description for the attribute.

# Other Notable Updates

• UNIX resource adapters now support SSH connections using private/public key pairs for authentication to managed resources.
• Service Provider user password changes will be checked against the password policy configured on the user directory.

# Supported Resource Additions and Updates

• Exchange 2007 (New)
• Microsoft Active Directory Application Mode (ADAM) (New)
• RSA SecurID 6.1.2 (Updated)
• Siebel CRM 8.0 (Updated)
• Oracle E-Business Suite on Oracle Applications 12 (Updated)
• HP OpenVMS 8.3 (Updated)

# Supported Application Server Updates

• Sun Java System Application Server 9.1 (GlassFish v2 UR1, 32-bit and 64-bit)
• Oracle Application Server Enterprise Edition 10g Release 3 (10.1.3)
• Oracle Application Server Standard Edition 10g Release 3 (10.1.3)
• BEA WebLogic Server 10
• JBoss Application Server 4.2

# Bug Fixes and Platform Support Updates

For more information about the features in this release, see the Identity Manager 8.0 Release Notes or the Identity Manager documentation set.

8 - The wait is over

Yes the wait is over. Very soon the latest version, 8.0 of Identity Manager will be out. Keep checking for updates on the same.

Open Source at SUN - Identity Management

The Identity Manager IDE has been open-sourced. As a side note, this also means that the Eclipse
plugin is officially out there. The versions of IdM that are supported include 6.0 (sp3/sp4), 7.0, 7.1.x.x, 8.0 (after the release).

Kindly leave your emailId

I get few tech queries. Most of them are posted as comments. When I want to get back to them, I do not have their mail id.

Thus kindly post your mail id.

Thanks a lot.

SUN Identity Manager - A Tip

When a resource is created (ex: LDAP) you may test this. Enter the credentials to connect except the password. Amazingly you will find that the Test Connection succeeded. Now save it to have problems later :-)

So if there is a problem in retrieving data or something similar anytime, you better check your resource for password.

Thought it would help some.

Login.jsp redirects to Configure: Import Exchange File

Product: Sun Identity Manager

You have hit the idm admin URL and you are redirected to the Configure: Import exchange file page? Did this ever happen to you? A snapshot of that looks like this.

Did you observe the logged in as field? Yes this is something funny that can happen to you.

Reason: Your IdM is unable to locate the database, if someone has removed your database or something of the same sort has happened then you see this page.

Solutions:

1. Recover your database

2. If its ok to have a fresh identity manager i.e. if you lose nothing, then just import the init.xml from idm-installation-dir\sample\init.xml

Still hanging around with any version below 7?

Folks looks like the next version of Sun Identity Manager release is not too far. If you are still working with any version below 7? then you may wait to upgrade your skills, directly to ?????? Ahaaa ... wait for the release and the number.