Whitehall Media, the UK’s market-leading business-to-business multi-platform media group, is already gearing up for next month’s Continue reading…and Conferences, but we thought we’d take the opportunity to remind you that we will also be hosting a new conference in October, , 2013 – ‘delivering an and strategy for corporate, business and government.’ The event will be held at the Hotel Russell, London, on 9 October, and promises to be the biggest Mobile Device Management event of the year.
Thomas Pedersen is chief executive officer and founder of OneLogin, the innovator in with 12 million users across 700 enterprise customers in 35 countries, including AAA, Gensler, Netflix, News International, Pandora, Steelcase and PBS.
According to Gartner, by the end of 2014, IDaaS (-as-a-Service) will account for 25 percent of all new IAM sales, compared to less than 5 percent in 2012. At the same time, the explosion of cloud-based apps is taking the enterprise by storm.
In fact, OneLogin’s 2013 State of Cloud Application Access Study showed that 78 percent of respondents plan to increase the number of cloud apps in their organizations this year.
As we reach this tipping point in cloud adoption, it’s important for IT pros to ask the right questions of cloud identity management providers. Here are 12 of the most critical:
1. Is Active Directory integration batch or real-time?
Real-time directory integration means that all directories are updated whenever changes are made in one directory within seconds, creating a “kill switch.” This is important as the last thing you want is sensitive data sitting out there in the cloud that’s still accessible by former employees. Yet according to our survey, 20 percent of firms admitted that former employees could still access applications after they no longer worked for the company.
2. Is there a planned downtime or read-only mode for any portion of your IAM product during upgrades or maintenance windows?
By its very nature, a single sign-on service to other applications must be extremely reliable. While some SaaS vendors operate with planned partial or full downtime, a cloud-based single sign-on solution should perform without planned downtime – this includes planned read-only mode for the admin interface during upgrades.
3. What set of pre-integrations does your IAM solution offer?
Since the value of an identity management solution is a direct function of its ability to integrate across an organization’s IT assets, any head-to-head product evaluation should start with a comparison of the competing vendors’ pre-integrated offering. The size of the app vendor ecosystem and directory types is paramount (Active Directory, LDAP, Workday, GoogleApps, etc.), but don’t overlook other types of infrastructure such as VPN integration (Juniper SSL VPN, Cisco ASA, SonicWall, RADIUS-based VPNs, etc.)
4. How extensible is your IAM solution?
In today’s dynamic business environment, even smaller businesses or teams need to be ready to incorporate new network infrastructure and applications. Whether it’s through an acquisition, new branch office or joint venture, IT needs to consider the advantages of having a complete and highly extensible identity platform that can cover requirements when business needs change. Does the IAM vendor offer free SAML Toolkits for all five Web development frameworks or third-party SAML plugins for popular Web apps like Drupal, Joomla, Moodle, WordPress, and Atlassian’s Jira and Confluence? Do you have access to a well documented REST API for unique requirements?
5. Do you have access to user-provisioning with entitlements?
Fact is, many SaaS applications offer built-in provisioning capabilities, including Box, Clarizen, Dropbox, Echosign, Google Apps, GoToMeeting, HipChat, Netsuite, Parature, RemedyForce, Salesforce, SAManage, Syncplicity, WebEx, Yammer and Zendesk. For example, upon creating a new user in Salesforce, you should also be able to assign the new user to the Admin, Marketing or Sales group based on business rules inside the IAM solution. Most IAM vendors offer real-time user provisioning, importing, matching and de-duplication as well as Just In Time Provisioning into the IAM directory. But most stop at basic CRUD operations.
6. How flexible is your IAM solution in terms of defining password constraints, session timeouts, IP address restrictions and enforcing Multi-Factor Authentication, and can you apply these policies at the account level, to individual groups or to specific users?
Modern cloud-based IAM solutions should empower IT to take back the security controls they once had when all their applications were behind the corporate firewall.
7. Are administrative roles and privileges fixed or flexible?
Flexible roles and privileges mean that you can give users the power to manage accounts, groups or specific users. This means that a LOB manager could administer his own group and users.
8. Can you assign security policies to specific users independent of granting their access to their apps?
This flexibility could be important for the ability to separate app administration from user management.
9. What else can you do with Active Directory Groups besides simply grouping people and apps?
You may find it useful to use attributes in Active Directory as an indicator for assigning roles (groups of applications), group memberships (policies), as well as performing bulk operations (like activating users). Bulk operations should let administrators perform operations on sets of users based on any combination of role, group and status. Examples of bulk operations include applying mappings, sending invitations, activating accounts, deactivating users and forcing password resets.
10. How easy is it to define a logical structure for application access that doesn’t correlate exactly with Active Directory Groups?
Seventy-two percent of the respondents in our survey have the need to provide external users (i.e. consultants) with temporary access to the company’s cloud applications. Will you ever need to manage cloud app access outside of your on-premise AD model? Would it be beneficial for you to be able to write and rewrite rules in seconds without changing your on-premise security permissions?
11. How does your IAM solution increase worker productivity and/or break down SaaS data silos?
Does it work seamlessly across the web, mobile and iPads? Can your users search across cloud apps in real-time? How easy and secure is your Mobile OTP App for Multi-Factor Authentication (e.g. is there a Push feature to send the one time password out-of-band over a cellular or wireless network without having to enter the digits manually?).
12. How quickly will you need to add additional applications to your system? Will your IAM solution require an extra charge?
Our survey showed that 71 percent of respondents admit to using cloud applications that have not yet been sanctioned by their IT department (like Dropbox and Gmail) to get work done. The ability to quickly add new apps will be crucial to overall security.
Click here to find more information about Whitehall Media’s Identity Management conference.
In the past 10-20 years, most medium to large organizations withhave deployed some sort of password management automation. This may be a self-service password management web portal, integrated to the corporate Active Directory, possibly with connectors to other applications and even code installed on corporate PCs, to enable locked out users to get help.
Sounds simple. So why is the password-related call volume at the IT help desk high (still or again)?
To understand why password problems remain, we have to start with the basics.
Why did your organization deploy a self-service password reset system? Almost certainly in order to drive down help desk call volume, offer 24×7 user service and reduce IT support cost (i.e., operate the help desk with fewer people).
How do you get ROI from a self-service password reset system? By changing processes so that (a) users experience fewer problems and (b) users resolve their own problems without calling the help desk.
Sounds simple. So what’s not working?
First, few organizations bother looking at root causes. If you want to minimize password problems, then arrange for users to have fewer passwords (single sign-on, password synchronization, federation, directory integration, etc.), examine and perhaps update your password policy and control when users are invited to change their passwords (hint: Friday afternoon is not a great choice!).
Next, to get users to resolve their own problems, you have to get a few things right:
(a) users must be aware of the service.
(b) the service must be available when users have a problem.
(c) the service must be reasonably easy to use, so they don’t just give up and call anyways.
Many organizations encounter problems with at least the first two criteria above. For example, if users don’t enrol security questions or have some other way to authenticate when their password is forgotten or locked out, then self-service will be useless to them. If the password reset UI is not available right from the login screen — whichever login screen, at the time and location where the user has a problem, then users will call in.
In short, maximizing user enrolment prior to users experiencing a password problem is key to success. If your organization doesn’t have a plan to engage with the user community, to get them to answer security questions, enter their mobile phone number (for SMS/PIN authentication), provide a voice sample (for voice biometric authentication), etc. — then only 10% to 20% of users will provide this data, so at most you can only drive down 10% to 20% of password-related help desk calls.
You also have to consider where users are (physically and in relation to login screens on their own or your corporate PC) when they need help. This has gotten more complicated in the past few years.
Users may have to type a password before starting the operating system, because your organization has (wisely) deployed a full disk encryption (FDE) package, such as McAfee EndPoint Encryption or Symantec Drive Encryption. This means that a web-based password reset solution, or even one that integrated with the Windows login screen, just won’t work (web browser? The user hasn’t even booted their OS yet!).
If a user forgets their pre-boot password, you have to provide self-service that they can access from their phone (their PC is effectively a brick), which integrates with your FDE key recovery server. Without this, password reset (at least for users who forgot their pre-boot password) is inaccessible to many users.
What about the Windows login screen? Technology to offer self-service password reset from the login screen has been offered by many vendors for years, for example through a Credential Provider for Windows Vista or later, or a GINA DLL for Windows XP. The trouble is, your workforce is probably mobile, and most of these products only work when a PC is physically attached to your corporate network. Once the user moves away from his desk — working on your campus using WiFi, or elsewhere via wired or wireless connectivity plus a VPN — all bets are off.
To enable self-service password reset for disconnected users, who may be working off-site, the password reset system not only has to integrate with the Windows login screen, but also with WiFi infrastructure and your corporate VPN. Without this, mobile users cannot access self-service password reset.
So what now?
Simple: upgrade your password reset system to a modern solution, that can reduce password problems (synchronization, carefully timed password change reminders), which actively engages users to get them to enrol and which works not only from a web browser and PC login screen, but also pre-boot and off-site.
Hitachi ID Systems
Click here to find more information about Whitehall Media’s Identity Management conference.
Wireless Security – advancing from the traditional “one-size-fits-all” approach.
, mobile devices and network technologies have evolved in recent years, giving the executive road warrior and field service representative access to corporate networks, databases and applications from virtually anywhere.
Despite these advances many organizations are still unfamiliar with the latest remote access technologies and are unsure how to address the biggest mobile deployment concerns, namely connection cost, availability, speed and security. Continue reading…
Whitehall Media, the UK’s market-leading business-to-business multi-platform media group, would like to take this opportunity to remind delegates and sponsors that in just under a month’s time we will be hosting Continue reading…, 2013 – the next frontier in innovation and competition for the large enterprise sector. BDA, 2013, will be held at the Hotel Russell, London, on 20 June, and promises to be the year’s most prestigious Analytics event. The Conference is sponsored by a number of industry-leading companies like SAP, MuSigma, Talend, 10Gen, Qlik View, Pentaho, Vitria and Alteros.
Due to the increase of mobile devices and applications including mobile phones, smart phones, tablet computers etc. and the Continue reading…( ) initiatives,creates a multitude of challenges to major companies. The intention of MDM ( ) is to find a solution for managing these devices in the work place. Companies are alarmed at the rate of employee adoption of mobile devices to access corporate data. Management of these devices is becoming a key issue of importance for CIO’s and the corporate management team. As the number of devices connecting to the secure company network increases it accelerates the risk of intrusions and hacking.
Whitehall Media, the UK’s market-leading business-to-business multi-platform media group, would like to remind all potential delegates and exhibitors that in just under 6 weeks’ time we will be hosting our seventh Continue reading…Conference. The IDM 2013 Conference and Exhibition, which is sponsored by Net IQ, Cyber-Ark, Layer 7, Forge Rock, Pirean, Symplified and Ping Identity, promises to be the UK’s largest gathering for IT and business professionals responsible for IDM Infrastructure and Deployment.
Whitehall Media’s 4th Annual Enterprise Cloud Computing and Virtualization Conference and Exhibition at the Hotel Russell, London, on 7 March, 2013, was, we can confidently say, well received and rightly judges to be a resounding success.
Enterprise Cloud Computing and Virtualization, 2013, managed to attract a record number of sponsors, delegates and exhibitors and helped organizations address the issues involved in the growing exposure to the Cloud whilst equipping the delegates with the know-how to deploy Secure Cloud Infrastructures in their own workplace. Continue reading…