Alwyn Van Niekerk

My wife’s blog started misbehaving recently, main symptom being that the RSS feed just wasn’t working properly. Ultimately I ended up doing a fresh installation of Wordpress 2.6 and still the problem persisted. After changing themes a few times I realized that this was some other issue, and tried to load the RSS feed URL in Internet Explorer - FF just said the feed couldn’t load.

IE displayed the following message:

In article one and two I made the case for Identity management (IdM) and how an IdM solution can address the every day problems experienced in organizations. In this article I’m bringing things back to reality and I’ll be highlighting the aspects that could cause your IdM project to overrun and under-deliver.

Firstly, technology is only 20% of the solution. IdM is an extremely process driven solution and as with any new system where you automate manual processes you have to realize that those processes will change and that they have to be redefined with all the parties involved. Depending on the maturity of your business processes this can be a lengthy part of the overall project.

Be aware of your internal skill set when attempting an IdM project. IdM is still the new technology on the block, and although there’s nothing resembling rocket science about it, you still need to understand the concepts of implementing an IdM solution and learn the technology you will choose to do so. Consider using external consultants who specialize in IdM with a proven track record to speed things up to realizing your ROI in a shorter time period.

Your chosen IdM solution might also force you to run specific software and hardware infrastructure in which you have no experience or available skills. This will obviously put extra strain on existing resources or you’ll have to appoint new staff to deal with it.

Be frugal when establishing your identity attributes. Don’t manage attributes that you might need one day, or because it’s easy for the IdM solution to do so. Depending on the maturity of your application architecture you should try and avoid managing business attributes (account balances, policy status) in your solution, unless it has a direct impact on the security aspect of the identity. There are exceptions of course.

If you have a successful IdM implementation the chances are extremely good that you will make certain people and positions redundant, as these positions were created to deal with the lack of a proper IdM solution. Identify these people and positions early in the project and provide them with the opportunity to improve their skills and either make them a part of the IdM project, or migrate them to another area of the organization.

IdM projects take time. 2 – 3 year implementations are not unheard of and the key to a successful implementation is proper planning. External consultants with experience can help to speed things and up mitigate many of the risks you will encounter sooner or later.

Identify the low hanging fruit. IdM solutions tend to be costly and lengthy because of sheer scale and legacy complications, but by delivering quick and continuous returns to prove it as an asset will ensure that your project will survive the budget-axe wielded on all financial black hole projects.

I hope these 3 articles have provided some insight into what IdM is, what it can do for you, and which things you need to keep an eye out for. Implementing an IdM project is extremely rewarding, but can become very sticky as well, so don’t go into it with your eyes closed.

In my first article I described the requirement for an Identity management (IdM) solution. In this article I will highlight some of the ways in which a properly implemented IdM solution can meet those requirements.

One of the very first deliverables in an IdM project is to establish the single view of an identity. Your IdM solution will integrate with all the authoritative sources for each identity attribute and bring them together in a central location to provide a single view of all the identities within your organization.

With the single view established your IdM solution will ensure that it remains consistent across the organization by syncing all relevant changes to all the interested systems. Once the single view of an identity becomes consistent across the organization the entire identity life cycle becomes extremely efficient.

New users are only captured once in the system and all changes will be propagated automatically, or by using workflow processes where approval is required to ensure that the new user has everything they need (pc, desk, telephone, access rights, accounts, etc) to start working on the very first day they arrive for duty.

A good IdM solution will provide a user self-service facility, enabling the user to eliminate their interactions with support staff throughout the change phase of the life cycle. Statistics prove that roughly 40% of all help desk calls are password related, and a self service facility will enable the users to reset their passwords themselves in a secure, authenticated manner without involving the help desk staff - thereby greatly reducing the help desk load.

Once the user hands in their resignation (or gets fired) the IdM solution will ensure that all accounts are disabled and deleted where required, and can integrate with your asset management systems to ensure that all equipment used by the staff will be collected and taken back to the stores. Not only does this reduce the security risk of dormant accounts, but also enables greater asset management by ensuring that everybody stays in the loop.

Legislative requirements around auditing are increasing and most good IdM solutions will provide end-to-end auditing straight out the box, with a select few solutions providing the capability to audit the auditor, giving you complete visibility of the changes that effect the identities and their security profiles in the organization. This will enable you to have clear visibility of the triggers that caused a user to have the access rights and privileges they have, and how they came about it.

The above are some of the benefits almost every organization can realize from implementing an IdM solution. In my next article I will discuss some of the pitfalls and problems you should be aware of when going through an IdM project.

Scanning physical documents to pdf is probably the worst thing that happened to paper filing companies, and while it’s fantastic to have your invoices and quotes and statements available in digital format, it does tend to create it’s own problems as well.

Currently I carry an external hard drive with me on which I store all my personal non-work things that you typically don’t want to expose to the administrators on the network at work. Although this is a very workable solution it becomes a bit of a schlep when you have to haul it out of your bag every time you need to reference a document when you’re on the phone to somebody disputing payment or figures.

I eventually started mailing all my docs to my gmail account, which provided me with all the document management features I could need. I can label my docs (mails), search for them (or the subject of the mail rather), and if you trust Google then you believe that your docs are both securely hidden away behind their security infrastructure and that it’s backed up so that you’ll never lose it.

The gmail document management solution sufficed, but I ended up with a ton of labels and the mail-oriented interface just doesn’t work that well as a file browser and explorer. Although there are many document management solutions available, some even free and OSS as I like it, you are still left with a management nightmare. Performing backups and creating restores is hardly my idea of keeping fun, and that completely eliminates any personal solution, whether free or not.

I’ve been a long-time fan of Sharepoint. The collaboration features are fantastic and it is overall a very usable system. Of course I will never run Sharepoint at home (not sure it runs on OpenSUSE…) which explains my utter excitement when a friend told me about Google Sites - Google’s free online collaboration tool.

Sites integrates with Google Apps, and luckily I’ve set up my Apps previously in an earlier experiment (the joys of having your own domain). I immediately set about creating my site and starting uploading all my pdf scanned documents I’ve been carrying around on my external drive. Sites allows you to create a logical folder structure and as it’s intended to be a collaboration tool you can always invite other people to, err, collaborate with you on your documents. Google Docs have provided collaboration for a long time, but you could never (that I knew of) upload a pdf to Docs.

So looking at the entire Google Apps suite; email, documents, calendar, chat, web pages, and sites you have to wonder when companies are going to wake up to the fact that they don’t need their own collaboration infrastructure and that they don’t have to keep paying Microsoft Exchange and Sharepoint administrators and manage SAN storage to ensure that their staff can receive mails and collaborate on documents - securly of course.

Once again, well done Google!

Identity management (IdM) has become a buzz phrase in the industry surrounded by more confusion than facts and experience. So what exactly is an identity and why do we need to manage it?

An identity consists of attributes describing a person — typically name, surname, ID number, email address, etc. IdM concerns itself with the management of these attributes of a person as it travels through a typical life cycle, in this example an employee in a company.

Consider the usual HR process when a person joins a new company. The person completes forms specifying his particulars, which will be captured into the HR system, which is typically not integrated with any other system. The form is then sent on to the PABX and Windows administrators to arrange the new employee’s phone, system account and email address — and so the process continues until the new employee can do their daily work activities.

This is the start of the identity life cycle, inevitably followed by change. People’s details change (e.g. surname changes) and typically employees are firstly oblivious of these multiple systems in which they exist, and secondly exactly which one of the weird IT guys to speak with to have their details updated. Given that these systems aren’t integrated, they have to repeat this process until they have finally updated all the systems.

In a company, most systems attach digital and physical access privileges to a person’s position and place in the company’s organisational structure. As people move around within a company and change position, there is an even bigger requirement to manage their access privileges - firstly by avoiding any security risks by removing the previous set of privileges that they no longer need, and secondly to assign their new access rights so that they experience no breaks in productivity.

Scaling up the above scenario to a company with thousands of employees and numerous stand–alone systems breeds a management and security nightmare with a complete lack of end–to–end traceability of the changes made to a person’s identity and security profile over time.

The end of this identity life cycle is when the employee resigns. All accounts, rights and privileges must be revoked immediately so as not to leave any dormant accounts in the systems which could potentially be used in a security breach. Data breaches are becoming more and more common and countries like the USA are moving to get legislation in place to hold the company accountable for these breaches.

The above example illustrates a very real scenario in most organisations today. IdM has never received the attention it requires to ensure the automated end–to–end management of these identities while providing full auditing and traceability required for numerous regulatory requirements, which is becoming a reality for almost all companies maintaining customer data.

In this article I’ve detailed a typical scenario that requires proper IdM focus. In my next article I will illustrate how IdM tools and technologies can address and successfully manage these everyday problems.

Howard Fosdick produced an excellent article on DesktopLinux.com titled Running a business on desktop Linux. The article compares the details of running a small office on Linux software vs Microsoft Windows based software, and although you can easily determine that Howard is a die-hard Linux convert there is a noticeable objective aspect in the article.

The article defines the basic requirements that non-tech savvie users would typically require from a pc for their normal everyday use and outlines the pros and cons of satisfying these requirements on a typical Windows platform vs that of a Ubuntu installation.

There are one or two points in the article I disagree with (not all aging Linux versions provide support ad infinitum, just like Windows) but overall it serves as a fantastic starting point for non technical computer users that would like evaluate alternatives, or who would like to cut operating costs and downtime losses stemming from their computer infrastructure and software. It does point out one or two negatives of the current FOSS landscape (most notably Microsoft Office document interoperability) which newbies would be wise to take note of.

Given the continuous upgrade cycle (hardware and software) required to run the latest and greatest Microsoft software there is a very strong case for evaluating Linux and FOSS software, but the Linux landscape is extremely confusing for the non technical end user. Using Ubuntu Linux as a reference point in the article makes a lot of sense and is probably the best advice to give to newcomers.

There are a myriad of references to other pieces from within the article providing tons of additional information that will benefit the inquiring user tremendously, and overall its a great, well thought through and well written article that will help to promote the use of Linux and free/open source software.

Our Oracle DBA asked me to attend as they’re a bit unhappy with the way I’m nailing our DB with my Novell IDM solution, and they’re convinced that Oracle can do it better…

3rd day this week I’m attending a conference at the Hilton, this being one of those sit down breakfast events. The first speaker, Danny Ilic, did a fantastic presentation on why IAM is becoming important, and why IAM is not a 30 day project. I must say given the numbers and timeframe he mentioned it seems as if my implementation has gone pretty well so far, but there’s always more work to be done.

Patrick Mclaughlin presented Oracle’s vision of end-to-end security, or “here’s the Oracle products to use to implement a security architecture in your company”. Good presentation, and as expected, a lot of Oracle promotion in there.

Although both presenters were good, especially Danny, I still left the event feeling robbed. I expected to hear why I should drop every single other IAM product suite and use Oracle’s because of the following ground breaking product features you’ll ONLY find in the Oracle tools. Instead I heard the same basic conceptual principles of IAM and why I need to do it and how I should go about it - aboslutely nothing mentioned about Oracle’s IAM features and benefits.

Given that there is still so much confusion in the IAM space Oracle clearly meant to educate and influence potential customers as to the need to roll out an IAM project as opposed to doing a full blown promotion of their IAM suite. Perhaps that’s why they supplied a CD filled with white papers and demos along with the addicitive mints…

Once again a pretty good day of presentations. Dominic White from Deloitte did a good presentation on multi factor authentication, and we got to play with some amazing hardware from Emeu. There was a lot of talk on the different factors for authentication, being:

• Something you have, e.g. an access card
• Something you know, e.g. a password
• Something you are, e.g. any biometric

Picking up from the talks and the feedback I’d say there’s 2 major requirements from IAM right now:

1. Preventing corporate employees from copying confidential information onto a USB drive.
2. Managing citizen identities.

Citizen identities is absolutely massive in South Africa, with a lot of effort underway currently to try and improve the dire situation we are in w.r.t. our current identity system.

Overall this was a good conference, learnt a few things and got to hear what other people are up to. Overall I’d say there’s still more people talking about IAM than doing it, but it’ll pick up very soon.

The morning started off with a session by Allison Singh from Novell SA. I’ve had a quite few interactions with Allison since I started using Novell products and he was as always on top of his game despite being seriously jet lagged. Interesting things mentioned today (from all the sessions):

• US laws being introduced that assigns responsibility to companies in the event of data theft. One of the trends stemming from this would be keeping a reduced identity footprint.
• RBAC is becoming quite the trend. This is clearly an abstraction layer aimed at providing greater agility in an Identity and access management system. To me this loosely translates to entitlements in Novell speak - something I’ve built in from day 1.

One topic I was ‘introduced’ to today that has been lingering in my mind for the last while and which was perfectly brought to life today was the concept of end-to-end architecture. My primary interest being using security events from your authentication systems (a user swiping their access card at the building entrance) and using these as triggers to disable the specific user’s accounts until that user enters the building again.

This is very fine grained access control utilizing the IDM infrastructure but delivering very concrete benefits. Combining physical access control with your digital access control systems provides the complete end-to-end solution which eliminates the majority of potential security breaches (e.g. hijacking an unlocked PC when the user leaves their desk)

Another very interesting discussion today was using the IDM synchronization engine to administer business specific attributes which you won’t traditionally find in the classic IDM attribute set. Personally I’ve refused this practice as users are very quick to request something like this once they realize the efficiencies of a successful IDM implementation. I believe you’ll have to decide for yourself how far you want to go given your existing business application solution, but once your security events become input and triggers for business events then the line becomes very gray indeed.

There were quite a few delegates from Africa at the conference, and it was extremely interesting to hear the challenges faced by these private companies and government IT departments. Of particular interest was a discussion of the Botswana government, who also doubles as an ISP for all government institutions (schools included). You can only imagine how complicated the solution becomes with implementing identity and access management across such a distributed model.

It was obvious from today that a lot of people and companies are talking about doing IDM, but there are very few instances where a company has walked a 2 -3 year path with IDM and are willing to share the lessons learned. I had a few discussions with people who are investigating IDM and it’s clearly a chaotic landscape of new jargon and massive infrastructure which very few newcomers have managed to get their heads around. I’d guess that there are probably only just over a handful proper IDM solutions in South Africa at this point in time, but it’s growing and people are waking up to the need they all have but just didn’t quite know - yet…

World, meet little ajunior - ajunior, say hello to the world

A mere inch long at 9 weeks and 1 day, and he/she is already causing so many new emotions in our lives - the same lives that will most definitely change drastically and be turned completely upside down - but a new phase in our lives as parents that we approach with eager anticipation.

Thank you for entering our lives and for all the times you will still turn it upside down and inside out - this is the start of something undeniably wonderful!