Password synchronization solutions can prove extremely useful for increasing efficiency and reducing costs. As with Tools4ever’s Password Synchronization Manager, they allow end-users to use a single password for logging into their network, and all other applications they require access to. After end-users have changed their password, PSM ensures that they can log in directly to all the required systems and applications with a single set of log-on credentials. This can improve end-user productivity and minimize the number of password-related helpdesk calls. But is it possible to enhance efficiency and workforce productivity further still?
Password Synchronization solutions alone still require the end-user to manually log-in to each application and system they use, which can be extremely time-consuming. A recent survey has shown that an alarming 28% of us have to remember over 12 different username and password combinations in order to do our work on a daily basis, with the majority of us having to key-in up to seven. In addition, 85% of us think that we would be able to work more efficiently if the time it took to log-in to systems was reduced.
Single Sign On (SSO) solutions, such as Tools4ever’s E-SSOM offer effective solutions to these issues. Once a user has logged into the network, and logged on to their required applications, E-SSOM will remember the login credentials required for each applications/system and automatically log the user in thereafter, whenever the applications/systems are launched.
However, with the combination of PSM, there is no need for this process as PSM communicates directly with E-SSOM. When a password is changed in Active Directory, PSM will immediately ensure that all applications/systems receive and apply the new credentials, and will communicate the current password credentials to E-SSOM, which will then launch all applications and systems automatically.
The combination of these two solutions makes login procedures significantly more efficient. Optimizing user convenience and simplifying the process for system administrators when access to new applications have to be added to user accounts, and when applications/systems require users to frequently change their login credentials.
With the combination of the two solutions, time-consuming log-in procedures can become a thing of the past. End-user convenience can be at an optimum level, with increased workforce productivity.
More information on Single Sign On and Two-factor Authentication on our website.
Wednesday, November 9, 2011
Tuesday, October 18, 2011
Single Sign On not enough?
A major concern for hospitals is the security and accessibility of their computers, applications and data. Clinicians often share a common user name and password with several of their peers in an area of the hospital in order to make it easy for them to sign on the computer and not have to waste time switching users. With several users logged in together, it is impossible for the hospital to track what each individual user is doing in the system to construct an audit trail. Recently, HIPAA reviewed these practices and recommended changes to improve the security risks. They no longer want user names and passwords to be shared and instead want each user to be identified in the system.
The most practical solution to this problem is the use of a Single Sign On product. Single Sign On would allow each user to sign into the system once and thereafter be automatically logged into each of their applications on the computer without having to enter additional credentials. Results from a Single Sign On pilot in the healthcare market revealed some concerns though with Single Sign On. Their concern was that the e-mail applications of the users might be available to others. The users voiced concerns that they felt very protective over their e-mail and wanted to make sure that no one is viewing their personal information.
This concern could be easily alleviated though with Two-factor Authentication. Two-factor Authentication would ask users to present two forms of identification (pass card, pin code, USB token, etc.) in order to access the workstation which would ensure security of their e-mail accounts. The conjunction of Single Sign On and Two-factor identification solves the HIPAA problem of security while also addressing the users concerns of privacy of their email accounts. The Two-factor Authentication also allows for fast user switching thereby reducing time spent by clinicians waiting on their profile to load.
More information on Single Sign On and Two-factor Authentication on our website.
The most practical solution to this problem is the use of a Single Sign On product. Single Sign On would allow each user to sign into the system once and thereafter be automatically logged into each of their applications on the computer without having to enter additional credentials. Results from a Single Sign On pilot in the healthcare market revealed some concerns though with Single Sign On. Their concern was that the e-mail applications of the users might be available to others. The users voiced concerns that they felt very protective over their e-mail and wanted to make sure that no one is viewing their personal information.
This concern could be easily alleviated though with Two-factor Authentication. Two-factor Authentication would ask users to present two forms of identification (pass card, pin code, USB token, etc.) in order to access the workstation which would ensure security of their e-mail accounts. The conjunction of Single Sign On and Two-factor identification solves the HIPAA problem of security while also addressing the users concerns of privacy of their email accounts. The Two-factor Authentication also allows for fast user switching thereby reducing time spent by clinicians waiting on their profile to load.
More information on Single Sign On and Two-factor Authentication on our website.
Wednesday, October 5, 2011
Identity Management Metrics
A recent article in PC WORLD, identified ten important metrics that are critical to success if any IDM project. I would like to take a look at a few of these items and expound upon how Tools4ever can provide software and services to provide a clear and concise implementation that will lead to a quick ROI.
Monthly Password Reset Volume – The article points to this as an indicator of password policy effectiveness. Too few resets requests might mean users are using simple passwords or writing them down on sticky notes. Too many requests could indicate the complexity standards are very stringent and users are having difficulty remembering their passwords
Number of Credentials per User – A recent Tools4ever survey uncovered the average user has 10-12 separate, distinct sets of credentials and the article reiterated this fact. Once again, the large number of credential can lead to a large number of calls to the help desk and sticky notes with user name and passwords on the monitor.
Average time to provision or de-provision a User - No one wants a new employee to sit idly for days waiting on network and email access. Even worse, a terminated employee should not have access to anything once they have left the building. Too often the information flow from HR to IT is slow or non-existent in both of these scenarios leading to a loss of productivity or a potential security breach.
The article has many other great discussion topics and is a quick, informative read.
To learn more about Toosl4ever solutions for Identity and Password Management, please visit our website.
Monthly Password Reset Volume – The article points to this as an indicator of password policy effectiveness. Too few resets requests might mean users are using simple passwords or writing them down on sticky notes. Too many requests could indicate the complexity standards are very stringent and users are having difficulty remembering their passwords
- Solution – Self Service Reset Password Manager (SSRPM) – allows companies to enforce complex passwords without inundating the help desk with user reset or unlock requests. The product can be deployed in an average organization in less than one day and the ROI is typically a few months.
Number of Credentials per User – A recent Tools4ever survey uncovered the average user has 10-12 separate, distinct sets of credentials and the article reiterated this fact. Once again, the large number of credential can lead to a large number of calls to the help desk and sticky notes with user name and passwords on the monitor.
- Solution – Enterprise Single Sign On Manager (E-SSOM) from Tools4ever provides a cost efficient method to reduce he number of credentials to one – the AD username and password. This product is easily deployed by Tools4ever consultants in a few hours to a few days – depending on the number of applications. Two factor or strong authentication via biometrics or smart cards eliminated the normal security concerns with SSO implementations.
Average time to provision or de-provision a User - No one wants a new employee to sit idly for days waiting on network and email access. Even worse, a terminated employee should not have access to anything once they have left the building. Too often the information flow from HR to IT is slow or non-existent in both of these scenarios leading to a loss of productivity or a potential security breach.
- Solution – User Management Resource Administrator (UMRA) allows companies to implement a closed loop process that encompasses creation, modification and deletion of user accounts. A common scenario is to synchronize Active Directory with the authoritative data source, typically the HR system, to insure the correct account status and security rights are always present. We forms are easily deployed to handle non-employees such as consultants, volunteers and contractors.
The article has many other great discussion topics and is a quick, informative read.
To learn more about Toosl4ever solutions for Identity and Password Management, please visit our website.
Wednesday, September 21, 2011
Getting Started with IDM
One of the questions often encountered when an organization decides to start an Identify Management project is “where do we start?” Undoubtedly, when looked at as a whole, the task can be daunting if not completely overwhelming. What is the source of data, how do we define roles, dozens of applications to interface with and the list goes on.
The approach we recommend is to start small – replace the manual, paper intensive process that is currently in place with a more automated, web based solution. Most organizations have a new hire form that has basic information – department, location, title, etc. and this is frequently coupled with another form that outlines what the new employee will need – network account, email, computer, phone, access to certain applications and group memberships to name a few.
A portal, such as the one in UMRA, can easily replace the paper request forms with web forms. The HR department or hiring manager completes the form online in lieu of the paper. Workflow processes automatically take over and distribute the information to the appropriate parties for approval or action. Active Directory and email accounts can quickly and securely be created while emails can be delivered to the system owners to insure provisioning occurs and hardware requirements are fulfilled. As items are completed, the owners indicate such in the portal allowing for ease of tracking.
A similar process can easily be set up for termination. Instead of HR sending the help desk an email, a quick entry into a web form can kick off the entire account disable and delete process. This allows for a much better level of security and reduces the risk a terminated employee will continue to have access to systems for days, weeks or even longer!
Once the “electronic” forms are in place, more time can be spent defining further requirements such as Role Based Access Control, electronic interfaces to other systems and even employee self-service. The net result, however, is a quick win for the entire organization – reduced paper work, better accuracy, timely account creation and, just as important, account deletion.
For more information, please visit our website to learn more about our phased approach Tools4ever.com.
The approach we recommend is to start small – replace the manual, paper intensive process that is currently in place with a more automated, web based solution. Most organizations have a new hire form that has basic information – department, location, title, etc. and this is frequently coupled with another form that outlines what the new employee will need – network account, email, computer, phone, access to certain applications and group memberships to name a few.
A portal, such as the one in UMRA, can easily replace the paper request forms with web forms. The HR department or hiring manager completes the form online in lieu of the paper. Workflow processes automatically take over and distribute the information to the appropriate parties for approval or action. Active Directory and email accounts can quickly and securely be created while emails can be delivered to the system owners to insure provisioning occurs and hardware requirements are fulfilled. As items are completed, the owners indicate such in the portal allowing for ease of tracking.
A similar process can easily be set up for termination. Instead of HR sending the help desk an email, a quick entry into a web form can kick off the entire account disable and delete process. This allows for a much better level of security and reduces the risk a terminated employee will continue to have access to systems for days, weeks or even longer!
Once the “electronic” forms are in place, more time can be spent defining further requirements such as Role Based Access Control, electronic interfaces to other systems and even employee self-service. The net result, however, is a quick win for the entire organization – reduced paper work, better accuracy, timely account creation and, just as important, account deletion.
For more information, please visit our website to learn more about our phased approach Tools4ever.com.
Monday, August 15, 2011
Combining migration with implementation?
Many companies are apprehensive about implementing UMRA when they are in the middle of a migration process to an Active Directory (AD) environment. This may be due to the misconception that the migration must first be completed before UMRA will work properly, or starting another project while they are in the process of migration might overcomplicate the project, thus delaying the project deadline. The fact is that UMRA assists with migration both pre and post project and streamlines the process. Tools4ever expertise in this area provides a valuable project management asset and speeds up the migration process.
There are two common migration scenarios. The first of which is domain consolidation, multiple AD domains are being collapsed into a single domain. In this scenario UMRA is able to recreate the user account and, more often than not, retain the username in the new domain. Organizations also have the choice to implement new naming conventions. This occurs in circumstances where the migration results in several duplications of names. UMRA will then create a new user name and alerts end users, via email, what their new username will be along with the date that name will be made effective.
Not only is the user migration process streamlined, but the resources of those users as well. This includes items like group memberships and home directory data. As users are migrated UMRA will retain their group memberships, and if one of groups in question doesn’t reside in the new domain UMRA creates it automatically. Home directory data can either be copied to a new server in the new domain or re-permissioned on the existing server with the SID of the newly migrated account.
UMRA also assists and eases the migration process by:
Eliminating Pollution-Most migration tools will copy 1:1 which will includes erroneous and/or stale accounts. UMRA migrates users by reconciling them against a HR/SIS system so that pollution is not included. Activity reports on which groups are not being used are generated so that unused objects are not migrated.
Fill Attributes-When migration takes place there might be some missing information such as “title” or “Department”. UMRA automatically populates this information as needed.
To learn more about UMRA please visit our website.
There are two common migration scenarios. The first of which is domain consolidation, multiple AD domains are being collapsed into a single domain. In this scenario UMRA is able to recreate the user account and, more often than not, retain the username in the new domain. Organizations also have the choice to implement new naming conventions. This occurs in circumstances where the migration results in several duplications of names. UMRA will then create a new user name and alerts end users, via email, what their new username will be along with the date that name will be made effective.
Not only is the user migration process streamlined, but the resources of those users as well. This includes items like group memberships and home directory data. As users are migrated UMRA will retain their group memberships, and if one of groups in question doesn’t reside in the new domain UMRA creates it automatically. Home directory data can either be copied to a new server in the new domain or re-permissioned on the existing server with the SID of the newly migrated account.
UMRA also assists and eases the migration process by:
Eliminating Pollution-Most migration tools will copy 1:1 which will includes erroneous and/or stale accounts. UMRA migrates users by reconciling them against a HR/SIS system so that pollution is not included. Activity reports on which groups are not being used are generated so that unused objects are not migrated.
Fill Attributes-When migration takes place there might be some missing information such as “title” or “Department”. UMRA automatically populates this information as needed.
To learn more about UMRA please visit our website.
Monday, August 8, 2011
What’s in a Password?
Find out how a recent study uncovered alarming news about the security risks in employee passwords
Would you believe it if I told you that there are less than 1% of truly random passwords in use today? Well the unfortunate reality is it’s true. A recent report* shows that less than 1% of passwords used today are random in nature. In fact, the report breaks down how some people derive their passwords; for example:
• 14% of passwords are derived from a person’s name (JohnSmith)
• 8% of password are derived from a place name – most likely the place where the person lives or was born (SeattleWA)
• 14% of passwords are purely numeric and in some situations are consecutive numbers (12345)
• 25% of passwords are random dictionary words (computer)
• Another 8% or so are made up of keyboard patterns, short phrases, words within the email address, and repeating words (asdf, myblackcat, @apple, redred – respectively)
• While the remaining 31% could not be verified during the study
This information is alarming to network and security administrators in any field. While most system administrators will set password complexity rules, not all do; and those that do may still find that employees may use passwords that are easy to replicate. So to help circumvent network breaches organizations should consider adding identity management solutions to protect themselves. There are several easy solutions an organization can implement to help reduce the risk of password security breach.
One I’d like to focus a little on is implementing a solution that requires two-factor authentication. This practice requires securing the primary login using a pass-card or biometrics. Instead of entering a username and password, users can log in by presenting a pass-card/biometric to a reader and entering a PIN code. Combining a pass-card/biometrics and a PIN code ensures strong authentication. Because this two-factor authentication is based on something users own (the pass-card/biometrics) and something they know (the PIN code).
Tools4ever’s Enterprise Single Sign On Manager(E-SSOM) offers full integration with all common two-factor authentication readers, such as HID, Mifare, Biometrie, Gridtoken, proximity-based devices and RFID readers. E-SSOM offers native integration with the driver software of the (card) reader and links the pass-card ID to the user credentials (username/password) in Active Directory. No additional software is required to create this link. This feature guarantees an user friendly and secure login for all users.
Stay tuned for my next blog where I explain how implementing a self-service password reset option can also help ensure your employees are using secure and complex passwords.
*Source: The science of password selection by Troy Hunt
Would you believe it if I told you that there are less than 1% of truly random passwords in use today? Well the unfortunate reality is it’s true. A recent report* shows that less than 1% of passwords used today are random in nature. In fact, the report breaks down how some people derive their passwords; for example:
• 14% of passwords are derived from a person’s name (JohnSmith)
• 8% of password are derived from a place name – most likely the place where the person lives or was born (SeattleWA)
• 14% of passwords are purely numeric and in some situations are consecutive numbers (12345)
• 25% of passwords are random dictionary words (computer)
• Another 8% or so are made up of keyboard patterns, short phrases, words within the email address, and repeating words (asdf, myblackcat, @apple, redred – respectively)
• While the remaining 31% could not be verified during the study
This information is alarming to network and security administrators in any field. While most system administrators will set password complexity rules, not all do; and those that do may still find that employees may use passwords that are easy to replicate. So to help circumvent network breaches organizations should consider adding identity management solutions to protect themselves. There are several easy solutions an organization can implement to help reduce the risk of password security breach.
One I’d like to focus a little on is implementing a solution that requires two-factor authentication. This practice requires securing the primary login using a pass-card or biometrics. Instead of entering a username and password, users can log in by presenting a pass-card/biometric to a reader and entering a PIN code. Combining a pass-card/biometrics and a PIN code ensures strong authentication. Because this two-factor authentication is based on something users own (the pass-card/biometrics) and something they know (the PIN code).
Tools4ever’s Enterprise Single Sign On Manager(E-SSOM) offers full integration with all common two-factor authentication readers, such as HID, Mifare, Biometrie, Gridtoken, proximity-based devices and RFID readers. E-SSOM offers native integration with the driver software of the (card) reader and links the pass-card ID to the user credentials (username/password) in Active Directory. No additional software is required to create this link. This feature guarantees an user friendly and secure login for all users.
Stay tuned for my next blog where I explain how implementing a self-service password reset option can also help ensure your employees are using secure and complex passwords.
*Source: The science of password selection by Troy Hunt
Wednesday, July 13, 2011
Two-Factor Authentication for Password Resets
In order to increase security of websites, applications and networks, many organizations are increasingly turning to two-factor authentication. Recently I tried to log into my online banking from a new laptop. The website returned a message that it did not recognize the computer and I would need a PIN to log in. The PIN could be delivered via email or SMS to my mobile phone. Further, the PIN could only be delivered to an email or cell number the bank already had on record – no ability to enter new information.
Tools4ever has recently made enhancements to our Self Service Reset Password Manager (SSRPM) software to take full advantage of two-factor authentication by several methodologies. The first enhancement, released earlier this year, delivered a PIN via an email account. The email adds had to be previously entered by the end user to insure no spoofing can occur. Once a user initiates the “Forgot My Password” wizard and completes the challenge questions, they are prompted for the PIN to complete the password reset.
The most recent version of SSRPM, released on June 24th, takes two-factor authentication to the next level and provides the ability to deliver an SMS message containing the PIN. The cell phone number needs to be entered during enrollment by the end user, once again to prevent spoofing when a reset is actually performed. In a similar fashion to the email functionality, once an end user initiates the reset wizard and completes the challenge questions successfully, they are prompted to enter the PIN delivered to their cell via SMS.
To learn more about two-factor authentication, this Wiki article has excellent information. To learn more about Tools4ever and SSRPM, please visit our website.
Tools4ever has recently made enhancements to our Self Service Reset Password Manager (SSRPM) software to take full advantage of two-factor authentication by several methodologies. The first enhancement, released earlier this year, delivered a PIN via an email account. The email adds had to be previously entered by the end user to insure no spoofing can occur. Once a user initiates the “Forgot My Password” wizard and completes the challenge questions, they are prompted for the PIN to complete the password reset.
The most recent version of SSRPM, released on June 24th, takes two-factor authentication to the next level and provides the ability to deliver an SMS message containing the PIN. The cell phone number needs to be entered during enrollment by the end user, once again to prevent spoofing when a reset is actually performed. In a similar fashion to the email functionality, once an end user initiates the reset wizard and completes the challenge questions successfully, they are prompted to enter the PIN delivered to their cell via SMS.
To learn more about two-factor authentication, this Wiki article has excellent information. To learn more about Tools4ever and SSRPM, please visit our website.
Wednesday, June 15, 2011
Complete an SSO Survey for a chance at an IPAD2!
Toosl4ever is busy finalizing the next release of its Enterprise Single Sign On Manager. The release currently slated for June 17, 2011 will incorporate many new features and enhancements to existing supported application types.
We would like to learn more about your interest and requirements for SSO. Please take a minute to complete a brief survey and we will enter you for a chance to win an iPAd 2. This survey is limited to 500 participants so don’t delay! Click HERE to take the survey and good luck!
We would like to learn more about your interest and requirements for SSO. Please take a minute to complete a brief survey and we will enter you for a chance to win an iPAd 2. This survey is limited to 500 participants so don’t delay! Click HERE to take the survey and good luck!
Wednesday, June 1, 2011
Enterprise Single Sign On for Automotive Dealerships
A recent implementation on the Tools4ever Enterprise Single Sign On Manager (E-SSOM) for a group of automotive dealers in Louisiana presented a unique opportunity. This group has a total of 15 dealerships and all were running the same HR, CRM, inventory and dealer management applications, along with a number of web-based tools. They had been utilizing an SSO application from their CRM/ dealer management vendor that automatically logged personnel into the appropriate applications based on their Active Directory credentials.
The major problem occurred when the supplier made a decision to stop supporting the SSO application in a few months.
The dealership started an immediate search for a replacement product. They knew all too well that the calls to the help desk for password assistance would skyrocket once the old SSO application was removed. Tools4ever was selected as a potential vendor and after a thorough Proof of Concept, and a few tweaks to E-SSOM, we were able to demonstrate the basic functionality of our solution in the client’s production environment by automating the logon process for 8 unique applications, including the most crucial CRM and dealer management systems.
After the roll out to all current employees was completed, a decision was made to pre-enroll new users. Basically, the only credentials anyone will ever receive going forward is their AD username and password. Access to all other applications will be handled via E-SSOM and the end users will never actually know the passwords to the eight applications they need to access. The benefit is that by disabling a terminated employees AD account, or removing their E-SSOM profile, their access to every other application is automatically revoked thus eliminating a potential security concern.
To learn more about Tools4ever solutions for Identity and Password Management, please visit our website.
The major problem occurred when the supplier made a decision to stop supporting the SSO application in a few months.
The dealership started an immediate search for a replacement product. They knew all too well that the calls to the help desk for password assistance would skyrocket once the old SSO application was removed. Tools4ever was selected as a potential vendor and after a thorough Proof of Concept, and a few tweaks to E-SSOM, we were able to demonstrate the basic functionality of our solution in the client’s production environment by automating the logon process for 8 unique applications, including the most crucial CRM and dealer management systems.
After the roll out to all current employees was completed, a decision was made to pre-enroll new users. Basically, the only credentials anyone will ever receive going forward is their AD username and password. Access to all other applications will be handled via E-SSOM and the end users will never actually know the passwords to the eight applications they need to access. The benefit is that by disabling a terminated employees AD account, or removing their E-SSOM profile, their access to every other application is automatically revoked thus eliminating a potential security concern.
To learn more about Tools4ever solutions for Identity and Password Management, please visit our website.
Friday, May 20, 2011
Enterprise Single Sign On
I recently attended the Interop Las Vegas trade show and one of the most asked about products we offer was our Enterprise Single Sign On Manager.. One of the things I noticed was that there seem to be a lot of different takes on want companies are looking for in this arena.
The Tools4eversolution has been on the market for a couple of years now and, as of late, has been gaining a lot of traction in the market. Some of our recent deployments include a City Government in Florida, an automobile dealer, an insurance company, a division of the Federal Courts, a charter school and a bank – quite a representation of the types of organizations looking to deploy SSO functionality.
The Tools4ever implementation of SSO utilizes Active Directory as the authoritative source for Password Management. An end user will log into AD and provide their credentials one time for every other application they are authorized to use. It does not matter if it is a web page, standard Windows app, mainframe session or Citrix desktop. After that, our E-SSOM solution remembers the credentials and securely provides them as required. No more sticky notes with dozens of user names and password on the side of the monitor. No more calls to the help desk to reset a password for a specific application. One secure, complex password will, in essence, provide access to any authorized application.
The issue of security often arises with SSO implementations as well. What if someone hacks that one password, they know have access to everything! The common item we see here is the use of simple passwords to make them easier to remember, not enforcing regular password changes and the inevitable sticky notes! With SSO, you can make the one password more complex and enforce a regular change, making this aspect even more secure. Further, our SSO solution can randomly reset password to applications so by disabling the SSO profile, you revoke access to everything!
To learn more about Tools4ever and our Identity and Password management solutions, please visit our website.
The Tools4eversolution has been on the market for a couple of years now and, as of late, has been gaining a lot of traction in the market. Some of our recent deployments include a City Government in Florida, an automobile dealer, an insurance company, a division of the Federal Courts, a charter school and a bank – quite a representation of the types of organizations looking to deploy SSO functionality.
The Tools4ever implementation of SSO utilizes Active Directory as the authoritative source for Password Management. An end user will log into AD and provide their credentials one time for every other application they are authorized to use. It does not matter if it is a web page, standard Windows app, mainframe session or Citrix desktop. After that, our E-SSOM solution remembers the credentials and securely provides them as required. No more sticky notes with dozens of user names and password on the side of the monitor. No more calls to the help desk to reset a password for a specific application. One secure, complex password will, in essence, provide access to any authorized application.
The issue of security often arises with SSO implementations as well. What if someone hacks that one password, they know have access to everything! The common item we see here is the use of simple passwords to make them easier to remember, not enforcing regular password changes and the inevitable sticky notes! With SSO, you can make the one password more complex and enforce a regular change, making this aspect even more secure. Further, our SSO solution can randomly reset password to applications so by disabling the SSO profile, you revoke access to everything!
To learn more about Tools4ever and our Identity and Password management solutions, please visit our website.
Wednesday, April 27, 2011
Password Management - Self Service and Single Sign On
According to a number of recent studies, calls to the help desk for password reset assistance make up 10 to 30% of the total call volume. Further research asserts that the costs associated with each call range from $51 to $147 in labor costs, not to mention loss of productivity while the employee attempts to login, gives up, waits in the help desk queue and, eventually resets the password. One further complication, the average employee is required to maintain 8 unique combination of user ID’s and passwords, usually with varying complexity and expiration rules.
So, how can the typical organization reduce the costs associated with password management and maintain the highest level of security? The answer lies in the Password Management solutions form Tools4ever and includes Self Service Password Reset Manager (SSRPM) and Enterprise –Single Sign On Manager (E-SSOM).
The first application, SSRPM, is an enrollment based application that allows users to register by answering a series of challenge questions – much like they would do for an on-line banking site. Once enrolled, they can reset their own password directly from the Windows login screen by clicking on a “Forgot My Password” link. Alternate methods of service can be found from either a website or via Outlook Web Access integration. To insure high adoption rates, such organizations elect to pre-enroll employees by pulling personal information form the HR system. This software is extremely secure and is in use by organizations ranging from25 to 350,000 employees worldwide.
The second application, E-SSOM, reduces the number of user name password combinations form the average of 8, to exactly one – the AD credentials. By securely capturing and storing a user’s credentials for all applications they are authorized to access, E-SSOM eliminates the need for a user to right passwords on a sticky note or attempt to remember them. E-SSOM can automatically handle password changes at required time intervals and allow user to delegate credentials to a specific app for a period of time – such as a vacation.
When both SSRPM and E-SSOM are used in combination, the number of calls to the help desk drops to nearly zero. The result is a tremendous savings of time, money and an overall increase in security.
For more information on the complete Tools4ever Identity and Access Management suite, please visit our website.
So, how can the typical organization reduce the costs associated with password management and maintain the highest level of security? The answer lies in the Password Management solutions form Tools4ever and includes Self Service Password Reset Manager (SSRPM) and Enterprise –Single Sign On Manager (E-SSOM).
The first application, SSRPM, is an enrollment based application that allows users to register by answering a series of challenge questions – much like they would do for an on-line banking site. Once enrolled, they can reset their own password directly from the Windows login screen by clicking on a “Forgot My Password” link. Alternate methods of service can be found from either a website or via Outlook Web Access integration. To insure high adoption rates, such organizations elect to pre-enroll employees by pulling personal information form the HR system. This software is extremely secure and is in use by organizations ranging from25 to 350,000 employees worldwide.
The second application, E-SSOM, reduces the number of user name password combinations form the average of 8, to exactly one – the AD credentials. By securely capturing and storing a user’s credentials for all applications they are authorized to access, E-SSOM eliminates the need for a user to right passwords on a sticky note or attempt to remember them. E-SSOM can automatically handle password changes at required time intervals and allow user to delegate credentials to a specific app for a period of time – such as a vacation.
When both SSRPM and E-SSOM are used in combination, the number of calls to the help desk drops to nearly zero. The result is a tremendous savings of time, money and an overall increase in security.
For more information on the complete Tools4ever Identity and Access Management suite, please visit our website.
Tuesday, April 26, 2011
School Districts save time and resources by embracing network automation
I have been getting more questions about streamlining IT department operations and finding ways to be more efficient with fewer resources. We have many implementations across the country for automated network account provisioning by synchronizing authoritative data sources to different directory services. Utilizing Tools4ever’s User Management Resource Administrator (UMRA), our consultants bridge the gap between student information systems like Skyward and Active Directory.
School districts often struggle to create and manage user accounts in a timely manner due to lack of resources, data integrity or out-dated scripts. Additionally, when districts rely on third party scripts, they become vulnerable when the author of those scripts departs the district. Suddenly the scripts are unsupported and when the infrastructure changes the scripts break leaving the district in a bind.
UMRA protects the integrity of the district network data by providing easily supported projects files rather than scripts or code. UMRA’s enhanced development environment allows for rapid deployment of identity management systems at a very competitive price point. As school districts look for additional ways to save money they tend to stop hiring and incorporate more automated processes.
Benefits of UMRA for Education:
•Manual IT procedures are automated via student information system connectors;
•Connecting the student information system with various teaching applications, such as Destiny, library system, access system, Live@edu, Google Apps, etc. ;
•User account uniformity;
•Reduced input time by system and application managers through the automated of tasks;
•100 percent logging of all activities in the domain;
•Enhanced data integrity: the domain is always fully up-to-date and pollution free;
•Complete implementation within a few days for immediate ROI.
Common UMRA Connected Student Information Systems
•Banner
•Infinite Campus
•PowerSchool
•Aeries
•Jenzabar
•Pentamation
•DataTel
•Campus Management
•Teams
To learn more about UMRA please visit our website,. To read about how one school district implemented UMRA read our Lewisville Independent School District case study.
School districts often struggle to create and manage user accounts in a timely manner due to lack of resources, data integrity or out-dated scripts. Additionally, when districts rely on third party scripts, they become vulnerable when the author of those scripts departs the district. Suddenly the scripts are unsupported and when the infrastructure changes the scripts break leaving the district in a bind.
UMRA protects the integrity of the district network data by providing easily supported projects files rather than scripts or code. UMRA’s enhanced development environment allows for rapid deployment of identity management systems at a very competitive price point. As school districts look for additional ways to save money they tend to stop hiring and incorporate more automated processes.
Benefits of UMRA for Education:
•Manual IT procedures are automated via student information system connectors;
•Connecting the student information system with various teaching applications, such as Destiny, library system, access system, Live@edu, Google Apps, etc. ;
•User account uniformity;
•Reduced input time by system and application managers through the automated of tasks;
•100 percent logging of all activities in the domain;
•Enhanced data integrity: the domain is always fully up-to-date and pollution free;
•Complete implementation within a few days for immediate ROI.
Common UMRA Connected Student Information Systems
•Banner
•Infinite Campus
•PowerSchool
•Aeries
•Jenzabar
•Pentamation
•DataTel
•Campus Management
•Teams
To learn more about UMRA please visit our website,. To read about how one school district implemented UMRA read our Lewisville Independent School District case study.
Friday, April 1, 2011
Identity and Password Management in Healthcare
As of late, Tools4ever has been implementing more solutions on the healthcare market and I wanted to take a look at our clients and ascertain if there are common issues that this market sector needs to address. Not surprisingly, there were a number of common themes in these accounts.
Shared User Accounts
One of the top reasons for implementing Identity Management in healthcare is the need to eliminate the “shared” accounts. Quite frequently, all the nurses on a floor will have one or more shared computers. Everyone utilizes the machine utilizing a common, generic account. The issue becomes security and privacy. It is impossible to restrict access or determine who is doing what and when.
Identity management solves this issue typically by linking an HR application to the Active Directory and creating individual logon accounts. Fast user switching, available in Vista and 7 makes this a quick process for busy healthcare professionals. Further, the Tools4ever Single Sign On product allows for credentials of users to be provided automatically fro authorized applications when utilizing fast user switching.
Downstream Provisioning
Active Directory and email systems are just one of the many applications that require user accounts. Pharmacy, medical records, radiology and IP phone systems are just the surface of what users need to have access accounts set-up and managed. By setting simple templates based on department and titles, it is possible to configure accounts in a majority of the applications and assign appropriate group and distribution lists as well. In more complex environments, the use of web-based workflow utilizing single or multi-level approval can be the first step in completing and advance Role Based Active Control (RBAC) matrix.
Stale Accounts
By far one of the most common issues, and the one with the most potential for security breaches, is the potential for stale accounts – accounts still active when an employee, consultant or temporary employee leaves. Tools4ever provides several of options for dealing with this issue. The first is to detect a terminate date or flag in the HR system during a daily synch and immediately disable the account. Another option is to scan the Active directory daily for unused accounts. IF an account has not been used in for example, 60 days, automatically send an email to the user’s manager notifying that the account will be disabled the next day if no action is taken. Finally, by implementing a strict policy of requiring a “disable on” date when creating accounts for consultants or temporary employees, automated email notification can take place warning of the impeding disable at 5 ,3 and day prior, allows time for an extension to be entered.
For further information please visit our website Tools4ever, Inc., or Click Here to download a health care case study or brochure.
Shared User Accounts
One of the top reasons for implementing Identity Management in healthcare is the need to eliminate the “shared” accounts. Quite frequently, all the nurses on a floor will have one or more shared computers. Everyone utilizes the machine utilizing a common, generic account. The issue becomes security and privacy. It is impossible to restrict access or determine who is doing what and when.
Identity management solves this issue typically by linking an HR application to the Active Directory and creating individual logon accounts. Fast user switching, available in Vista and 7 makes this a quick process for busy healthcare professionals. Further, the Tools4ever Single Sign On product allows for credentials of users to be provided automatically fro authorized applications when utilizing fast user switching.
Downstream Provisioning
Active Directory and email systems are just one of the many applications that require user accounts. Pharmacy, medical records, radiology and IP phone systems are just the surface of what users need to have access accounts set-up and managed. By setting simple templates based on department and titles, it is possible to configure accounts in a majority of the applications and assign appropriate group and distribution lists as well. In more complex environments, the use of web-based workflow utilizing single or multi-level approval can be the first step in completing and advance Role Based Active Control (RBAC) matrix.
Stale Accounts
By far one of the most common issues, and the one with the most potential for security breaches, is the potential for stale accounts – accounts still active when an employee, consultant or temporary employee leaves. Tools4ever provides several of options for dealing with this issue. The first is to detect a terminate date or flag in the HR system during a daily synch and immediately disable the account. Another option is to scan the Active directory daily for unused accounts. IF an account has not been used in for example, 60 days, automatically send an email to the user’s manager notifying that the account will be disabled the next day if no action is taken. Finally, by implementing a strict policy of requiring a “disable on” date when creating accounts for consultants or temporary employees, automated email notification can take place warning of the impeding disable at 5 ,3 and day prior, allows time for an extension to be entered.
For further information please visit our website Tools4ever, Inc., or Click Here to download a health care case study or brochure.
Monday, March 28, 2011
Education and Free Email Services
One of the recent trends in the Education market over the last couple of years are the free email offerings from Google and Microsoft. While Gmail and MSlive@edu offer a number of tangible benefits to schools and universities, including a permanent account for alumni, creating and managing the accounts can be a challenge. Adding to this issue, password from Active Directory are no longer automatically synchronized and, especially if you were using Exchange, an additional burden can be placed on the helpdesk to reset email passwords.
Tools4ever offers solutions to both of these common issues when moving to Gmail or MS Live. Our User Management Resource Administrator can take a feed from your Student Information System and use data from there to automatically create user accounts in the hosted email solution. Further, when students graduate, their AD accounts can programmatically be moved to an Alumni OU and the appropriate indication made in either Gmail or MS Live.
Our PSM (Password Synch Manager) and SSRPM (Self Service Reset Password Manager) also have links in both of these email applications. IF a user forgets a password in AD or the email solution they can visit a web page, answer a series of challenge questions, and reset both passwords simultaneously. Although not as common for students, faculty and staff typically will have expiration dates on passwords and will need to reset them on a regular basis. PSM allows the capturing of this new AD password and can send it off to the email application to insure the passwords remain in synch.
To learn how Tools4ever can help prevent your free mail system from costing a fortune in maintenance and help desk time, please visit our website: Tools4ever, Inc.
Tools4ever offers solutions to both of these common issues when moving to Gmail or MS Live. Our User Management Resource Administrator can take a feed from your Student Information System and use data from there to automatically create user accounts in the hosted email solution. Further, when students graduate, their AD accounts can programmatically be moved to an Alumni OU and the appropriate indication made in either Gmail or MS Live.
Our PSM (Password Synch Manager) and SSRPM (Self Service Reset Password Manager) also have links in both of these email applications. IF a user forgets a password in AD or the email solution they can visit a web page, answer a series of challenge questions, and reset both passwords simultaneously. Although not as common for students, faculty and staff typically will have expiration dates on passwords and will need to reset them on a regular basis. PSM allows the capturing of this new AD password and can send it off to the email application to insure the passwords remain in synch.
To learn how Tools4ever can help prevent your free mail system from costing a fortune in maintenance and help desk time, please visit our website: Tools4ever, Inc.
Tuesday, March 22, 2011
Your Identity Management Strategy: What’s on the Menu?
Identity Management projects have a reputation for being long, costly and technically complex. What if the benefits of an Identity Management strategy could be yours without the hassle, including overhead that goes with technically complex projects; and within the limits of your budget?
Thanks to hundreds of Identity Management projects managed by our technical consultants, Tools4ever has been able to create a number of Identity Management best practices, aiming at achieving the maximum result with minimal effort.
One best practice is establishing a real Identity Management maturity model. Another result is the Tools4ever Identity Management à la carte menu, demonstrating Tools4ever’s capacity to deliver point solutions as well as integrated Identity Management approach.
Here are some examples of the Identity Management à la carte menu of solutions that have been implemented. (The estimated implementation time refers to average size organizations of about 2000 users.
• Delegation and tracing of the management of all user accounts and their resources(2 days);
• Synchronization with HR system(2 days);
• Identity Management Self Service Portal and Workflow Management(5 days);
• RBAC - Role Based Access Control level 1(3-5 days);
• Web portal for auditing and managing NTFS rights or Group Management(2 days);
• Single Sign-On for your 10 main applications(3 days);
• Self Service Password Management(1-3 days);
• Password Synchronization(1 day).
Interested? Please visit our website; Tools4ever, Inc. to learn more about our solutions and how they will help you achieve your Identity Management goals.
Thanks to hundreds of Identity Management projects managed by our technical consultants, Tools4ever has been able to create a number of Identity Management best practices, aiming at achieving the maximum result with minimal effort.
One best practice is establishing a real Identity Management maturity model. Another result is the Tools4ever Identity Management à la carte menu, demonstrating Tools4ever’s capacity to deliver point solutions as well as integrated Identity Management approach.
Here are some examples of the Identity Management à la carte menu of solutions that have been implemented. (The estimated implementation time refers to average size organizations of about 2000 users.
• Delegation and tracing of the management of all user accounts and their resources(2 days);
• Synchronization with HR system(2 days);
• Identity Management Self Service Portal and Workflow Management(5 days);
• RBAC - Role Based Access Control level 1(3-5 days);
• Web portal for auditing and managing NTFS rights or Group Management(2 days);
• Single Sign-On for your 10 main applications(3 days);
• Self Service Password Management(1-3 days);
• Password Synchronization(1 day).
Interested? Please visit our website; Tools4ever, Inc. to learn more about our solutions and how they will help you achieve your Identity Management goals.
Doing More with Less
In Identity Management, balancing efficiency and security can be a tough and expensive proposal. IdM projects are complex, require broad support and can very easily fail, so it's understandable that many organizations have resisted these changes in favor of business as usual. Although this is changing due to countless regulatory standards and industry trends, many businesses still relying on antiquated and painfully manual processes for performing simple tasks such as updating phone numbers or removing access for an employee on leave.
Just last week, a colleague met with a hospital whose onboarding process for a new employee involved at least 3-5 different people, two sheets of paper, several emails and a response time of two days. On top of this, it was expected that parties involved would provide accurate information and do their own error checking. With over 1400 employees, you don't need to do much calculating to realize how much time is involved with this one process and the risk that is created. The good news is that the hospital is beginning the one year process of assessing and evaluating identity management options, however, it is still unclear what role of workflow automation will play in their eventual solution.
Any organization, like the hospital visited can easily implement a project that provides a series of web forms and automatic notifications that will provide a means to request, verify and approve facilities and implement network changes independently. Using a provisioning package such as Tools4ever's UMRA, these changes can be executed across the network according to predefined rule sets. The graphic below outlines such a process.
A solution like this is easy to implement and can be an inexpensive way to manage security risks and improve the speed in which user management functions can be accomplished.
For more information, visit our workflow page: Tools4ever, Inc.
Just last week, a colleague met with a hospital whose onboarding process for a new employee involved at least 3-5 different people, two sheets of paper, several emails and a response time of two days. On top of this, it was expected that parties involved would provide accurate information and do their own error checking. With over 1400 employees, you don't need to do much calculating to realize how much time is involved with this one process and the risk that is created. The good news is that the hospital is beginning the one year process of assessing and evaluating identity management options, however, it is still unclear what role of workflow automation will play in their eventual solution.
Any organization, like the hospital visited can easily implement a project that provides a series of web forms and automatic notifications that will provide a means to request, verify and approve facilities and implement network changes independently. Using a provisioning package such as Tools4ever's UMRA, these changes can be executed across the network according to predefined rule sets. The graphic below outlines such a process.
A solution like this is easy to implement and can be an inexpensive way to manage security risks and improve the speed in which user management functions can be accomplished.
For more information, visit our workflow page: Tools4ever, Inc.
Friday, March 18, 2011
We want to automate everything, but …
With an increasing frequency, we hear from our prospects the desire to automate every aspect of their Identity Management process. Inevitably, during the discovery phase, specific items are uncovered that are exceptions to the rule and difficult, or in some cases, impossible to address programmatically. It is conceivable that the vast majority of new user accounts will be handled systematically and only a rare exception will need special treatment.
To this end, Tools4ever can offer a hybrid solution of automating the account lifecycle management. AS new users are entered into the Human Resource (HR) system an automated process occurs that generates the new user account automatically based on the predefined criteria but instead o factually committing the account in Active Directory, a “request” is queued for further review.
An email is delivered to a group stating there are pending items to be reviewed. At that point, a Systems Administrator or Help Desk person accesses a web portal and reviews the request. If all appears correct, simply clicking a submit button will execute the account creation in AD, email (Exchange, Google, Lotus) and numerous other systems. If further details are necessary – possibly specific group memberships, larger mailbox store or distribution list access to name a few – the Sys Admin or Help Desk person can add the required resources and then click submit to complete the processing.
Extending this concept further, particularly to schools, college and universities, the account creation for students is often straightforward and can be automated entirely – without the queued request. While account creations for faculty and staff are often more complex, lower in frequency and can be handled using the queued process.
By utilizing this hybrid methodology, it is extremely easy to handle both simple and complex account creation scenarios.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
To this end, Tools4ever can offer a hybrid solution of automating the account lifecycle management. AS new users are entered into the Human Resource (HR) system an automated process occurs that generates the new user account automatically based on the predefined criteria but instead o factually committing the account in Active Directory, a “request” is queued for further review.
An email is delivered to a group stating there are pending items to be reviewed. At that point, a Systems Administrator or Help Desk person accesses a web portal and reviews the request. If all appears correct, simply clicking a submit button will execute the account creation in AD, email (Exchange, Google, Lotus) and numerous other systems. If further details are necessary – possibly specific group memberships, larger mailbox store or distribution list access to name a few – the Sys Admin or Help Desk person can add the required resources and then click submit to complete the processing.
Extending this concept further, particularly to schools, college and universities, the account creation for students is often straightforward and can be automated entirely – without the queued request. While account creations for faculty and staff are often more complex, lower in frequency and can be handled using the queued process.
By utilizing this hybrid methodology, it is extremely easy to handle both simple and complex account creation scenarios.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
Thursday, March 17, 2011
Active Directory: Dealing with Reorganizations
The health care sector is undergoing various reorganizations. These require a change in the organizational hierarchy as well as the merging or separation of organizational units. A properly configured Active Directory structure is a precondition for dealing with organizational changes in a flexible way. If the organization has opted for a branched OU structure that is closely aligned with the organizational model, a major effort may be required to modify this structure in case of changes.
The structure depicted below provides an idea of how you can set up Active Directory in such a way that IT can conveniently implement organizational changes, while sufficient room is left for security mechanisms. This structure is based on the assumption that it is possible to retrieve cost centers, functional codes, departments and locations from the HR system (e.g. Meditech or Lawson).
- Administration
-|- Service accounts
-|- Administration accounts
- Organization
-|- Computers
-|- Users (1 OU for all user accounts)
-|- Groups
-|-|- Cost centers (HR interface)
-|-|- Functions (HR interface)
-|-|- Departments (HR interface)
-|-|- Locations (HR interface)
-|-|- Data (nested in the above groups)
-|-|- Mail (nested in the above groups)
-|-|- Applications (nested in the above groups)
In this way, the user accounts can be made a member of one or more functions, departments, cost centers and/or locations. Resources such as data, mail and applications are linked to these user accounts in turn. In case of organizational changes, it will suffice to create additional HR groups. It is up to IT to link the right resources to these groups. Using Tools4ever´s UMRA solution to set up a link with the HR system allows you to link any user to the right HR group(s). Added to which, IT will be in control over the assigned resources.
It is possible to create each HRL group in a proprietary OU by, for example, using UMRA in the event more GPO capabilities are required because all users are now accommodated in a single OU. In that case it will be possible to roll out a GPO for each HR object. If you use, say, RES PowerFuse, comprehensive GPO settings are usually not required. You will be able to accommodate all HR objects in a single OU and to distinguish them, e.g. through their naming.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
The structure depicted below provides an idea of how you can set up Active Directory in such a way that IT can conveniently implement organizational changes, while sufficient room is left for security mechanisms. This structure is based on the assumption that it is possible to retrieve cost centers, functional codes, departments and locations from the HR system (e.g. Meditech or Lawson).
- Administration
-|- Service accounts
-|- Administration accounts
- Organization
-|- Computers
-|- Users (1 OU for all user accounts)
-|- Groups
-|-|- Cost centers (HR interface)
-|-|- Functions (HR interface)
-|-|- Departments (HR interface)
-|-|- Locations (HR interface)
-|-|- Data (nested in the above groups)
-|-|- Mail (nested in the above groups)
-|-|- Applications (nested in the above groups)
In this way, the user accounts can be made a member of one or more functions, departments, cost centers and/or locations. Resources such as data, mail and applications are linked to these user accounts in turn. In case of organizational changes, it will suffice to create additional HR groups. It is up to IT to link the right resources to these groups. Using Tools4ever´s UMRA solution to set up a link with the HR system allows you to link any user to the right HR group(s). Added to which, IT will be in control over the assigned resources.
It is possible to create each HRL group in a proprietary OU by, for example, using UMRA in the event more GPO capabilities are required because all users are now accommodated in a single OU. In that case it will be possible to roll out a GPO for each HR object. If you use, say, RES PowerFuse, comprehensive GPO settings are usually not required. You will be able to accommodate all HR objects in a single OU and to distinguish them, e.g. through their naming.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
Two-factor Password Authentication
Tools4ever’s Self Service Password Management has always been available with a web interface, in order to allow users to reset their Active Directory passwords from an intranet or via the web. On the basis of a number of simple, predefined questions end-users can reset their password. Although this has been widely adopted in mostly educational establishments, some form of two factor authentication has been requested by many of our corporate customers.
On the 18th of February we released SSRPM Security Module, which adds two-factor authentication via email. Two-factor authentication (TFA or 2FA) means using two independent means of evidence to assert an entity's identity to another entity.
When a user logs onto the Active Directory domain for the first time following an SSRPM deployment, as well as answering a question set configured by the administrator, they will also be asked to supply a private email address. If an end user should subsequently forget their password, they can answer the challenge questions in the standard way. However, before they can reach the final stage and submit a new password, they must first enter the PIN emailed to their private address. This scenario illustrates the basic parts of most two-factor authentication systems; the "something you have" + "something you know" concept.
Two-factor authentication secures the web interface already. But we intend to extend this even more by enabling the forwarding of PINS to mobile phones by SMS. Watch this space for further information!
To learn more about our solution, visit:Tools4ever, Inc.
On the 18th of February we released SSRPM Security Module, which adds two-factor authentication via email. Two-factor authentication (TFA or 2FA) means using two independent means of evidence to assert an entity's identity to another entity.
When a user logs onto the Active Directory domain for the first time following an SSRPM deployment, as well as answering a question set configured by the administrator, they will also be asked to supply a private email address. If an end user should subsequently forget their password, they can answer the challenge questions in the standard way. However, before they can reach the final stage and submit a new password, they must first enter the PIN emailed to their private address. This scenario illustrates the basic parts of most two-factor authentication systems; the "something you have" + "something you know" concept.
Two-factor authentication secures the web interface already. But we intend to extend this even more by enabling the forwarding of PINS to mobile phones by SMS. Watch this space for further information!
To learn more about our solution, visit:Tools4ever, Inc.
Wednesday, March 16, 2011
Automatic handling of helpdesk tickets related to users and access rights
Many organizations today already have web forms in place to handle requests for user accounts, access rights or other resources. Typically a manager can use such web forms from their intranet to announce the arrival or departure of an employee. They can request an account, mailbox, shares, groups or application rights. At the end of the form or workflow, a ticket arrives at the helpdesk who will then create the account and resources or request that this be done by the system administrators.
This time consuming and error prone work is directly entered in Active Directory or on other systems, and what’s more, it involves entering the same data as already exists in the help desk ticket.
Although UMRA has its own work flow management systems and the option to create web forms, we recently found a way to deploy UMRA in an existing situation. In the example of a financial institution, we configured UMRA to automatically process all the new tickets related to users, and their rights and resources.
The advantages:
• A short implementation time of 2 days to automatically process all tickets related to users and access rights;
• Saves a lot of time for the system administrators;
• Guarantees that all the standards are respected;
• Eliminates manually keying in the same information twice with possible errors;
• Possible to process the request in different systems (Active Directory, Mail system, databases and applications).
Using this methodology, all the available information from the request is utilized in the optimal way.
A potential disadvantage of this situation lies in the fact that web forms that are managed within the company’s intranet are often not dynamic, creating a ‘static’ ticket. The configuration data such as departments, OU’s or groups in the Active Directory, and relationship between an employee and his manager, have to be managed separately and often manually. By utilizing UMRA forms, which are fully dynamic, and able retrieve information real time from the Active Directory or the HR system, the data can be used to create the appropriate drop down lists, eliminating another potential for errors and manual entry.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
This time consuming and error prone work is directly entered in Active Directory or on other systems, and what’s more, it involves entering the same data as already exists in the help desk ticket.
Although UMRA has its own work flow management systems and the option to create web forms, we recently found a way to deploy UMRA in an existing situation. In the example of a financial institution, we configured UMRA to automatically process all the new tickets related to users, and their rights and resources.
The advantages:
• A short implementation time of 2 days to automatically process all tickets related to users and access rights;
• Saves a lot of time for the system administrators;
• Guarantees that all the standards are respected;
• Eliminates manually keying in the same information twice with possible errors;
• Possible to process the request in different systems (Active Directory, Mail system, databases and applications).
Using this methodology, all the available information from the request is utilized in the optimal way.
A potential disadvantage of this situation lies in the fact that web forms that are managed within the company’s intranet are often not dynamic, creating a ‘static’ ticket. The configuration data such as departments, OU’s or groups in the Active Directory, and relationship between an employee and his manager, have to be managed separately and often manually. By utilizing UMRA forms, which are fully dynamic, and able retrieve information real time from the Active Directory or the HR system, the data can be used to create the appropriate drop down lists, eliminating another potential for errors and manual entry.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
Friday, March 11, 2011
Keeping Active Directory Clean
One of the issues that frequently arise, especially in larger organization, is the need to provide contractors, consultants and temporary employees with access to network resources and email. The concept of automating the lifecycle by integrating with a Human Resource system breaks down because these types of employees are rarely entered there.
We have solved this dilemma numerous times for companies by implementing a web-based workflow. The hiring manager access an internal web page and completes the relevant information - name, department, type of employee, expected length of service, etc. Once the form is submitted, the IT or helpdesk can review the information and process it automatically. An email is delivered back to the hiring manager with the username, email address and initial password.
The key element here to keep AD clean is the expected length of service date. As that date approaches a notification can be delivered to the manager asking if the date should be extended. If yes, the manager clicks on a link in the email and can enter a new end date. If no, the process automatically disables the user on the last day of service. A manger can also be given an option to disable or terminate immediately if the person has already left.
After sitting in a disabled status for a period of 60 to 90 days, the record can automatically be purged from AD. Implementing a process like this saves time, potential licensing costs and increases security all while making life easier for the OIT department.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
We have solved this dilemma numerous times for companies by implementing a web-based workflow. The hiring manager access an internal web page and completes the relevant information - name, department, type of employee, expected length of service, etc. Once the form is submitted, the IT or helpdesk can review the information and process it automatically. An email is delivered back to the hiring manager with the username, email address and initial password.
The key element here to keep AD clean is the expected length of service date. As that date approaches a notification can be delivered to the manager asking if the date should be extended. If yes, the manager clicks on a link in the email and can enter a new end date. If no, the process automatically disables the user on the last day of service. A manger can also be given an option to disable or terminate immediately if the person has already left.
After sitting in a disabled status for a period of 60 to 90 days, the record can automatically be purged from AD. Implementing a process like this saves time, potential licensing costs and increases security all while making life easier for the OIT department.
To learn more about this application of Identity Management and many others, please visit our website; Tools4ever, Inc.
Can an identity management solution save lives?
Can an identity management solution save lives?
Managing double entries in hospital information / medical systems
In the field of Identity Management we are usually concerned with the management of employees and their user accounts, access rights and authorizations. Sometimes it occurs that the same principles and tools that we use in identity and Access management projects can be applied to a wider range of situations not usually associated with identity management. Here’s a recent example:
A hospital has to be very secure about the management of access rights for its employees, but also when it comes to the patient data within their applications. Recently when meeting with IT management of a big hospital the question was asked whether we could also prevent double entries of ‘patients’ in Hospital Information Systems (HIS) like Meditech, McKesson, Epic, CPSI, Sage Health, EClinical Works, Allscripts and Eclipsys.
Imagine a patient existing two times in the hospital information system due to a typo or other mistake. That means the patient has two files containing different information. The doctors may then miss important information if they don’t access the right patient file. Imagine a patient that is allergic to penicillin being given a penicillin treatment just because of a typo in the HIS.
Using the same mechanisms and tooling used by identity management solutions in this case Tools4ever’s UMRA, and applying UMRA’s capacity to detect doubles or possible double entries in various systems, can save lives. And with the different kinds of matching mechanisms in UMRA this is quite easy to do - a possible double can then be detected very early and a notification be sent to the person managing that particular data to validate whether or not we are really talking about the same patient. UMRA can of course also manage all the tracking and tracing required regarding the alerts and the way they have been dealt with.
To learn more about Tools4ever solutions, please visit our website,
Tools4ever, Inc.
Managing double entries in hospital information / medical systems
In the field of Identity Management we are usually concerned with the management of employees and their user accounts, access rights and authorizations. Sometimes it occurs that the same principles and tools that we use in identity and Access management projects can be applied to a wider range of situations not usually associated with identity management. Here’s a recent example:
A hospital has to be very secure about the management of access rights for its employees, but also when it comes to the patient data within their applications. Recently when meeting with IT management of a big hospital the question was asked whether we could also prevent double entries of ‘patients’ in Hospital Information Systems (HIS) like Meditech, McKesson, Epic, CPSI, Sage Health, EClinical Works, Allscripts and Eclipsys.
Imagine a patient existing two times in the hospital information system due to a typo or other mistake. That means the patient has two files containing different information. The doctors may then miss important information if they don’t access the right patient file. Imagine a patient that is allergic to penicillin being given a penicillin treatment just because of a typo in the HIS.
Using the same mechanisms and tooling used by identity management solutions in this case Tools4ever’s UMRA, and applying UMRA’s capacity to detect doubles or possible double entries in various systems, can save lives. And with the different kinds of matching mechanisms in UMRA this is quite easy to do - a possible double can then be detected very early and a notification be sent to the person managing that particular data to validate whether or not we are really talking about the same patient. UMRA can of course also manage all the tracking and tracing required regarding the alerts and the way they have been dealt with.
To learn more about Tools4ever solutions, please visit our website,
Tools4ever, Inc.
Tuesday, February 22, 2011
Manage Outlook Office Assistant without direct access to the mailbox
A common situation in organizations: an employee is ill and/or absent for a long period of time and his/her Outlook Assistant is not activated. Result: e-mails are not answered, poor service and angry customers.
Because of data protection, it is not possible to turn on the Outlook Office Assistant without direct access to the mailbox. Another employee must be aware of the login credentials of the absent worker to read e-mails, forward e-mails and turn on the Outlook Office Assistant.
This can create an insecure situation. However, this situation can be easily resolved with Out of Office Manager Tool (OOMT) by Tools4ever, .
With OOMT, administrators or helpdesk personnel can turn on Outlook Office assistant wizard without logging into the mailbox of the user. This task can also be delegated to departments, even without additional admin rights.
It is also possible to integrate OOMT in Tools4ever’s User Management Resource Administrator (UMRA) in order to make a connection with the HR system of the company. The HR system keeps up with employees that are sick, on vacation or on business trip, and when an employee leaves the organization. Thanks to this integration, UMRA can automatically install the Out of Office Assistant and forward e-mails so they can be answered promptly.
Professional handling of email traffic in your organization is guaranteed.
Because of data protection, it is not possible to turn on the Outlook Office Assistant without direct access to the mailbox. Another employee must be aware of the login credentials of the absent worker to read e-mails, forward e-mails and turn on the Outlook Office Assistant.
This can create an insecure situation. However, this situation can be easily resolved with Out of Office Manager Tool (OOMT) by Tools4ever, .
With OOMT, administrators or helpdesk personnel can turn on Outlook Office assistant wizard without logging into the mailbox of the user. This task can also be delegated to departments, even without additional admin rights.
It is also possible to integrate OOMT in Tools4ever’s User Management Resource Administrator (UMRA) in order to make a connection with the HR system of the company. The HR system keeps up with employees that are sick, on vacation or on business trip, and when an employee leaves the organization. Thanks to this integration, UMRA can automatically install the Out of Office Assistant and forward e-mails so they can be answered promptly.
Professional handling of email traffic in your organization is guaranteed.
Monday, January 31, 2011
A school system registers parents...
As part of this blog, I strive to present unique cases where clients have requirements that are “outside” the box of normal Identity Management solutions and I think this one definitely fits the bill.
One of the top 10 school districts in the State of Florida, and top 25 in the country, had an Identity Management issue that did not involve students or faculty/ staff but rather the parents. Legislation had been passed that required any parent wanting access to their child's on line learning environment present themselves in person with identification and request an account. With over 125 physical locations and 500 + users that would be handling the process, a paper system was out of the question.
The solution that was settled on was a combination of standard Tools4ever products and just a little bit of custom web work.
Tools4ever worked very closely with the technical staff of the district to insure the requirements were very detailed to avoid any missed components. In the end, a solution was delivered utilizing User Management Resource Administrator (UMRA ), in about 30 hours of consulting that fully met their needs.
Here is a brief overview of the solution:
As part of the project, Self Service Reset Password Manager (SSRPM ) was also deployed for the parents to allow them to enroll and reset their passwords via challenge questions and avoid an unnecessary burden on the help desk staff.
Additional web forms were delivered to allow administrative staff to reset passwords for parent’s accounts, check their SSRPM enrollment status, to run last logon reports, disable accounts, update accounts and SSRPM enrollment reporting.
Since deploying the system, over 100,000 parents have been successfully enrolled and can access their child’s records with ease. Paperwork that had previously utilized for the process has been eliminated and, through SSRPM, the additional burden on the help desk has been non-existent.
To learn more about Tools4ever solutions, please visit our website,
Tools4ever, Inc.
One of the top 10 school districts in the State of Florida, and top 25 in the country, had an Identity Management issue that did not involve students or faculty/ staff but rather the parents. Legislation had been passed that required any parent wanting access to their child's on line learning environment present themselves in person with identification and request an account. With over 125 physical locations and 500 + users that would be handling the process, a paper system was out of the question.
The solution that was settled on was a combination of standard Tools4ever products and just a little bit of custom web work.
Tools4ever worked very closely with the technical staff of the district to insure the requirements were very detailed to avoid any missed components. In the end, a solution was delivered utilizing User Management Resource Administrator (UMRA ), in about 30 hours of consulting that fully met their needs.
Here is a brief overview of the solution:
- A parent shows up at a school and requests an account to access their child(s) information.
- A secretary or administrator verifies their ID and enters relevant information into a web page including:
- Name
- ID type, number and expiration date
- Phone number(s)
- Address
- The secretary then searches for the student(s) using name or student ID criteria and verifies with the parent the correct name is displayed.
- The individual then hits a “Create Parent Record” and, if no duplicate entries are found, the record is created in Active Directory and the student information system and a link between the parent and child is created.
- A temporary password is returned and the secretary records the information, along with the user name, and delivers it to the parent.
As part of the project, Self Service Reset Password Manager (SSRPM ) was also deployed for the parents to allow them to enroll and reset their passwords via challenge questions and avoid an unnecessary burden on the help desk staff.
Additional web forms were delivered to allow administrative staff to reset passwords for parent’s accounts, check their SSRPM enrollment status, to run last logon reports, disable accounts, update accounts and SSRPM enrollment reporting.
Since deploying the system, over 100,000 parents have been successfully enrolled and can access their child’s records with ease. Paperwork that had previously utilized for the process has been eliminated and, through SSRPM, the additional burden on the help desk has been non-existent.
To learn more about Tools4ever solutions, please visit our website,
Tools4ever, Inc.
Wednesday, January 26, 2011
UMRA & Controlled Assessment
UMRA & Controlled Assessment
Traditionally, schools and colleges use Tools4ever Identity Management Suite is UMRA Forms, a secure interface to quickly and accurately manage the life cycle of a user. However, when a school links Active Directory to their student information system, all student account changes are automated, with no need for manual intervention. This negates the requirement for UMRA Forms.
However, a couple of months ago we were approached by a school with an interesting problem regarding controlled assessment. The school’s IT Manager creates exam accounts for pupils, with home directories shared in the normal way to each user. In the home directory he creates a series of "Exam" folders, which the pupil should only access during a Controlled Assessment session. As a boarding school, the pupil may need to use their exam account outside of a controlled assessment period, so enabling and disabling the account as required is not a suitable solution.
What the IT Manager really required, was a way to control NTFS permissions on the exam folders within the home directory for each account. So, Tools4ever built a simple interface, delegated to teaching staff, that switches access to the exam folders on and off at the click of a button.
Now he has shifted the tedious task of controlling exam accounts back to teaching staff. More importantly UMRA is logging every action to keep the auditors happy.
To learn more on Tools4ever solutions, visit our website:
Identity Management
Traditionally, schools and colleges use Tools4ever Identity Management Suite is UMRA Forms, a secure interface to quickly and accurately manage the life cycle of a user. However, when a school links Active Directory to their student information system, all student account changes are automated, with no need for manual intervention. This negates the requirement for UMRA Forms.
However, a couple of months ago we were approached by a school with an interesting problem regarding controlled assessment. The school’s IT Manager creates exam accounts for pupils, with home directories shared in the normal way to each user. In the home directory he creates a series of "Exam" folders, which the pupil should only access during a Controlled Assessment session. As a boarding school, the pupil may need to use their exam account outside of a controlled assessment period, so enabling and disabling the account as required is not a suitable solution.
What the IT Manager really required, was a way to control NTFS permissions on the exam folders within the home directory for each account. So, Tools4ever built a simple interface, delegated to teaching staff, that switches access to the exam folders on and off at the click of a button.
Now he has shifted the tedious task of controlling exam accounts back to teaching staff. More importantly UMRA is logging every action to keep the auditors happy.
To learn more on Tools4ever solutions, visit our website:
Identity Management
Wednesday, January 5, 2011
Password Management Leads to More!
A recent pilot project at a large Canadian manufacturing firm, with about 3,500 employees, resulted in successful implementation and purchase. After evaluating numerous vendors over a 6 month period, this diverse, global manufacturer decided on a pilot implementation of Tools4ever products as a proof of concept. We deployed several of our standard products, along with professional services, to meet the client requirements. Here is a brief synopsis of their requirements and how we set about providing a total solution.
The first phase of the project was to provide a standard methodology to allow end user to reset their Active Directory passwords without calling the helpdesk. In addition to modifying the Windows login screen, a web portal was also required to facilitate resets from machines that were not part of the domain. Further, both components needed to be available in English, French, Spanish, German and Finnish. Self Service Reset Password Manager (SSRPM) provided the needed functionality out of the box with the only shortfall being native support for Finnish. However, as all the text for the Enrollment and Rest Wizards is contained in a locale file, the modification for Finnish was accomplished by the client in about 45 minutes.
The second phase of this project involved the use User Management Resource Administrator (UMRA) Web for Employee Self Service and Delegation and Password Synch Manager. The desired result of this phase was to be able to reset a user’s SAP password at the same time and using the same password as the AD password. In order to accomplish this, it was necessary to collect the SAP user name form the end users as there was no relationship established between the AD and SAP credentials. A number of other attributes, such as manager’s name and cell phone were also collected for populating AD. Once this phase was completed, an end user could perform a normal password reset through ALT-CTRL-Del or reset a forgotten password through SSRPM, and the password would automatically be reset in both AD and SAP.
The third and final phase of the project involves the UMRA Delegation and Workflow components. The company has a large number of consultants and temporary employees. When their accounts are created in AD, they will be tagged with an anticipated expiration date in Active Directory. Two weeks prior to this date, the manager will be notified of the pending action and given an opportunity to extend the date. If no action is taken a second notice will be generated one1 week and then again the day prior to expiration. If no action is taken prior, the account is automatically disabled and moved to a separate OU. After 30 days in a disabled state, the account is automatically deleted from AD. This process allows an automated methodology for keeping AD clean.
Shortly after wrapping up Phase 3, the company will begin to look at other Tools4ever solutions including Enterprise Single Sign on and automated user account provisioning. To learn more on Tools4ever solutions, visit our website:
Identity Management
The first phase of the project was to provide a standard methodology to allow end user to reset their Active Directory passwords without calling the helpdesk. In addition to modifying the Windows login screen, a web portal was also required to facilitate resets from machines that were not part of the domain. Further, both components needed to be available in English, French, Spanish, German and Finnish. Self Service Reset Password Manager (SSRPM) provided the needed functionality out of the box with the only shortfall being native support for Finnish. However, as all the text for the Enrollment and Rest Wizards is contained in a locale file, the modification for Finnish was accomplished by the client in about 45 minutes.
The second phase of this project involved the use User Management Resource Administrator (UMRA) Web for Employee Self Service and Delegation and Password Synch Manager. The desired result of this phase was to be able to reset a user’s SAP password at the same time and using the same password as the AD password. In order to accomplish this, it was necessary to collect the SAP user name form the end users as there was no relationship established between the AD and SAP credentials. A number of other attributes, such as manager’s name and cell phone were also collected for populating AD. Once this phase was completed, an end user could perform a normal password reset through ALT-CTRL-Del or reset a forgotten password through SSRPM, and the password would automatically be reset in both AD and SAP.
The third and final phase of the project involves the UMRA Delegation and Workflow components. The company has a large number of consultants and temporary employees. When their accounts are created in AD, they will be tagged with an anticipated expiration date in Active Directory. Two weeks prior to this date, the manager will be notified of the pending action and given an opportunity to extend the date. If no action is taken a second notice will be generated one1 week and then again the day prior to expiration. If no action is taken prior, the account is automatically disabled and moved to a separate OU. After 30 days in a disabled state, the account is automatically deleted from AD. This process allows an automated methodology for keeping AD clean.
Shortly after wrapping up Phase 3, the company will begin to look at other Tools4ever solutions including Enterprise Single Sign on and automated user account provisioning. To learn more on Tools4ever solutions, visit our website:
Identity Management
Subscribe to:
Posts (Atom)