Seeking a solution to streamline employee’s access to internal accounts, Volvo Cars of The Netherlands, sought a solution to reduce the number of login and access credentials required of employees to gain access to their (web) applications.
Employees at the dealership use 20 different applications a day, on average, each of which requires a different combination of user name and password. Through Tools4ever’s single sign on, a total of 35 generic web applications, including sales and inventory and workplace management suites, were made ready for single sign on with the help of Enterprise Single Sign On Manager (E-SSOM.) The software’s implementation was carried out in collaboration with Volvo Cars Nederland B.V.’s software and service provider, Beesd A2.
“When Tools4ever presented us with its solution, I was immediately impressed by the product’s ease of use and how fast Tools4ever was able to implement the solution,” Tjeu Bollen, the founder of Beesd A2. “During a pilot run of the program, Tools4ever was able to make 20 applications ready for single sign on in just one day. This pilot, and the relatively low costs of the solution, made our decision to select this suite very easy.”
The European dealer is not alone in its desire to streamline. Dealerships across the globe increasingly are forced to turn to web applications to process and sell automobiles. Typically, each of these web applications requires a different user name and password. As is often the case, employees write down passwords on sticky notes or file them in other non-secure manners in an attempt to remember them. However, a single sign on solution corals all systems together and allows a user to enter just one password or login credential to access them.
The staff at Volvo Cars B.V., in particular, benefit from the software. They no longer have to enter credentials for each individual application, and spend considerably less time on the login process and are spared a lot of frustration.
During a successful pilot at one of the Volvo dealerships, the value of the Tools4ever single sign on software quickly became apparent to the employees, said Dean Wiech, managing director of Tools4ever. “Three salespeople and two receptionists tested the software on site over a period of two months. From the very first day, they were highly enthusiastic about the solution, as they no longer had to log in to each and every application. They realized the immediate efficiencies it created."
“When the two months had ended and the test license expired, they got on the phone and said that they absolutely needed the software.”
The dealership has since implemented Tools4ever’s E-SSOM across all of its 110 branches throughout the Netherlands.
For more about Tools4ever, E-SSOM and to read customer case studies, visit our website.
Thursday, December 13, 2012
Friday, December 7, 2012
Managing Free Email Solutions for Education
When educational institutions first began providing student with email accounts, the options were limited – implement an in-house solution from Novell or Microsoft depending on your network infrastructure. There were some also small players in the market that provided hosted solutions. The problems with these options were they were expensive, required resources to set-up and maintain and had an ongoing costs associated with them.
About 5 years ago, Google, as they so often do, upset the proverbial apple cart by giving free email accounts to the educational space. Not to be outdone, Microsoft soon followed up with Live@edu and then Office 365 for Education. Both of these offerings eliminated the requirement for schools and colleges to purchase and maintain hardware for email and also eliminated the need for licensing of Exchange or GroupWise.
One of the initial shortfalls with these offerings was the common fact that there was not an easy way to manage accounts in bulk. They did provide an interface that allowed for “one off” account creation and management, but with the large influx and outflow of students that the typical school or college is faced with each semester, the task can be daunting at best. One recent college I spoke with shared that when they first deployed Google Apps, they spent nearly 300 man hours keying in data, and they only had about 5,000 student accounts to create. Extrapolating this out, they could anticipate spending 3.6 minutes per account, or 75 hours per year, managing email accounts - assuming 1/4th of their students matriculate annually.
Further complicating these deployments was the fact that there was no easy way to synchronize passwords between the network account and the emails account. It was easy to set the initial password as identical but, as is often the case, the user is required to change the password upon initial login. This frequently resulted in 2 different passwords – one for the network and one for email – causing a large number of calls to the helpdesk for password resets in one or both systems.
Fortunately, vendors that specialize in Identity and Access Management stepped in quickly to fill the void. Software tools were made available to allow IT staff to extend their automated user account provisioning to include both the Google Apps and Office 365 environments. By utilizing these connectors, the amount of time to manage an account went form 3.6 minutes to virtually zero. As the solutions offered by Google and Microsoft provide email accounts “for life”, it is important to have procedures in place that insure the email accounts remain active, and possibly moved to an alumni folder, upon student graduation. This needs to occur even when the network access account has been deleted.
Another feature available from software vendors was a password synch tool. Anytime a user changed a password in their network account, the new entry was immediately passed to the mail account, insuring consistency and a significant reduction in calls to the helpdesk. Extending this one step further is providing a self-service reset password application whereby the student can rest a forgotten password based on challenge questions. This reset password can also be synched to the email solution, once again insuring consistency.
Summary
While the email offerings provided by Google and Microsoft are free, the time required to set-up and manage thousands of student and faculty accounts can be overwhelming and expensive. Fortunately, cost effective solutions are commercially available to reduce or eliminate the burden placed on the IT staff by automating the user and email account lifecycle.
For more information, please visit our website.
Friday, November 30, 2012
Healthcare provider saves Time and Money
Lifestyle Hearing is a healthcare provider of hearing solutions with over 50 clinics, as well as many independently owned network member locations throughout Canada. These clinics provide customers with a series of auditory services including testing patients for hearing, recommending and providing a customized solution, as well as following up with ongoing visits and making sure everything is working properly. Recently the company has grown rapidly from just 2 employees to over 130 and continues to expand across Canada.
This rapid growth of Lifestyle Hearing created many IT complications within the company such as departments and roles needing to be created and formed. Since they started as a small company, many employees had responsibilities which included several roles that needed to be clearly defined as the company grew. This meant that user accounts needed to be created in multiple systems and controls needed to be put in place. Franco Butera, IT Director at Lifestyle said, “This task took about half an hour for IT to complete, and that was only if we had all the correct information at the beginning. If not, we had to track down the employees in an attempt to get the information, and wait for a response which could take up to an hour or more.” It is critical to unsure all information is correct such as credentials for doctors since they are operating in the healthcare arena. All of this work was taking valuable time away from the IT department, but could not be completed by department managers due to lack of technical knowhow.
Butera knew just how to solve these problems due to his positive experiences with Tools4ver’s User Management Resource Administrator (UMRA) at previous companies. He had come in contact with and used UMRA at both a larger telecommunications company in Canada and a higher education facility in Bermuda. Both projects had been extremely successful and had easily solved all of the organizations’ account management problems.
Completely controlled project
Tools4ever implemented UMRA at Lifestyle Hearing in a three phased approach. “The entire process was exceptional, from gathering the requirements, to deployment, to the types of resources Tools4ever provided.” Tools4ever was able to promptly implement the solution and get it up and running to start creating accounts in just the first phase. “The Project never slipped away, and was completely controlled. I was juggling many complex projects at the time, and Tools4ever’s UMRA was by far the easiest to work on.” Tools4ever was also even able to customize the solution to meet Lifestyle Hearings needs by building a connector to the company’s procurement resource system, Coupa.
No IT involvement
UMRA completely eliminated the account creation process from IT and is now handled entirely through the human resources department. Before UMRA, IT was the bottleneck due to the fact that they often had to handle other important tasks and were not able to create accounts quickly for new employees. HR now has controlled access through a web based form to create an account which allows them to easily enter the employee’s information, define their profiles and which systems they need accounts in. Lifestyle Hearing used to have a 4 to 5 day window for account creation, but with UMRA employees are now able to have their accounts created right away and start working the same day they are hired as needed.
Substantial savings
“Tools4ever’s UMRA saved our IT department a significant amount of time in the long run.” IT at Lifestyle Hearing no longer has to even hear about account creation and can focus on more important issues. Franco stated, “If you multiply how many long it took for IT to create an account by the number of accounts that we need created and edited, the savings is substantial.” UMRA is also able to track and audit Lifestyle Hearing so that it easily meets all audit requirements. “I have seen it manage thousands of accounts without any issues. It’s a must have application for companies of any size!”
For more information, please visit our website.
This rapid growth of Lifestyle Hearing created many IT complications within the company such as departments and roles needing to be created and formed. Since they started as a small company, many employees had responsibilities which included several roles that needed to be clearly defined as the company grew. This meant that user accounts needed to be created in multiple systems and controls needed to be put in place. Franco Butera, IT Director at Lifestyle said, “This task took about half an hour for IT to complete, and that was only if we had all the correct information at the beginning. If not, we had to track down the employees in an attempt to get the information, and wait for a response which could take up to an hour or more.” It is critical to unsure all information is correct such as credentials for doctors since they are operating in the healthcare arena. All of this work was taking valuable time away from the IT department, but could not be completed by department managers due to lack of technical knowhow.
Butera knew just how to solve these problems due to his positive experiences with Tools4ver’s User Management Resource Administrator (UMRA) at previous companies. He had come in contact with and used UMRA at both a larger telecommunications company in Canada and a higher education facility in Bermuda. Both projects had been extremely successful and had easily solved all of the organizations’ account management problems.
Completely controlled project
Tools4ever implemented UMRA at Lifestyle Hearing in a three phased approach. “The entire process was exceptional, from gathering the requirements, to deployment, to the types of resources Tools4ever provided.” Tools4ever was able to promptly implement the solution and get it up and running to start creating accounts in just the first phase. “The Project never slipped away, and was completely controlled. I was juggling many complex projects at the time, and Tools4ever’s UMRA was by far the easiest to work on.” Tools4ever was also even able to customize the solution to meet Lifestyle Hearings needs by building a connector to the company’s procurement resource system, Coupa.
No IT involvement
UMRA completely eliminated the account creation process from IT and is now handled entirely through the human resources department. Before UMRA, IT was the bottleneck due to the fact that they often had to handle other important tasks and were not able to create accounts quickly for new employees. HR now has controlled access through a web based form to create an account which allows them to easily enter the employee’s information, define their profiles and which systems they need accounts in. Lifestyle Hearing used to have a 4 to 5 day window for account creation, but with UMRA employees are now able to have their accounts created right away and start working the same day they are hired as needed.
Substantial savings
“Tools4ever’s UMRA saved our IT department a significant amount of time in the long run.” IT at Lifestyle Hearing no longer has to even hear about account creation and can focus on more important issues. Franco stated, “If you multiply how many long it took for IT to create an account by the number of accounts that we need created and edited, the savings is substantial.” UMRA is also able to track and audit Lifestyle Hearing so that it easily meets all audit requirements. “I have seen it manage thousands of accounts without any issues. It’s a must have application for companies of any size!”
For more information, please visit our website.
Friday, November 16, 2012
The Monster Called RBAC
In the world of identity and access management, Role Based Access Control (RBAC) is gradually becoming a frequently used term. Dictated in part by legislative and regulatory norms, an increasing number of organizations wish to manage and assign all access privileges across the network in a structured way. This is possible through the use of RBAC software. So how can companies achieve an adequate implementation of RBAC across their entire organization?
Organizations are faced with two pitfalls when it comes to assigning and revoking access rights. To assign rights, they often create a copy of a colleague’s account, also known as “template user.” This creates the risk that new employees are provided with unwarranted access to business applications and systems.
Added to which, organizations do not pay sufficient attention to revoking access rights when they create copies of existing user accounts. After all, their most important consideration is enabling new employees to do their job rather than checking for excess access rights. Dictated by standards, IT auditors and unnecessary licensing costs for suites including Microsoft Visio, Projects and Adobe CS, organizations have come to acknowledge the importance of a responsible handling of authorizations.
HR System as Basis
RBAC is a technique for implementing authorization management across organizations. This technique involves assigning rights on the basis of RBAC roles rather than assigning access rights to individual users. These roles in turn comprise the department, function, location and cost center associated with an employee.
Although organizations acknowledge the importance of RBAC, they are cautious about implementing this technique. RBAC has undeservedly gained the reputation that it involves a large effort – particularly in terms of management overhead – as well as lengthy and complex implementation cycles. In fact, RBAC is viewed as a monstrous entity. This misunderstanding is the result of an incorrect approach to its implementation.
In the past, the people who have been responsible for RBAC implementations were under the illusion that 100 percent of the staff could be molded into a single RBAC role. More often than not, there are as many functions in an organization as there are employees. This results in an endless list of roles in relation to resources, so that assigning an RBAC role to each employee becomes a lengthy process. Another question is whether everybody and everything has to be included in RBAC. Isn’t RBAC exclusively needed for user groups, which require a careful authorization set-up from the point of view of risk management, regulations and efficiency?
In any case, RBAC can be handled differently -- quicker and with less complexity.
RBAC as Lego Blocks
The advice for RBAC is to use a bottom-up and stacked approach. This approach involves the creation of a foundation that can be expanded at a later stage. After all, the majority of employees need access to standard applications such as Microsoft Office and Outlook. For a large number of employees, access rights on the organizational level (logging in, word processing, e-mail) and departmental level (access to the department share and departmental applications) can be assigned right away. In this context it is important to determine the top 50 combinations of department and function for active employees.
The HRM system is an excellent source for determining these combinations. This will pave the way for a role model on the organizational level. As an example, a hospital in Lynbrook has a surgery department that includes the functional role of “Nurse.” The organizational role can be created on the basis of the function; department and location found in the HRM system. These are “Nurse” and “Surgery Nurse,” respectively. After “Nurse” and “Surgery” have been defined, a nurse in the surgery department will automatically be identified as “Nurse + Surgery” and assigned the stacked roles.
Using this method, it becomes very easy to populate more than 80 percent of the RBAC table. A major benefit of this approach is that new employees can start working on their first day while time is liberated for the assignment of specific rights on an application and system level.
A subsequent step is to translate these organizational roles into application or system roles, which will comprise the remaining 20 percent of the RBAC table. The basis for this is already present and now further stacking will take place. The assignment of the system roles can easily be handled by the relevant manager. After all, managers, rather than HR, are responsible for the access rights of their employees. On the basis of a special workflow, the relevant manager will be prompted by an e-mail notification and/or web form to specify the access rights and applications for the employee concerned. The RBAC software can subsequently record the manager’s choices to further populate the empty sections of the RBAC table and eventually achieve a fully populated table.
This means it is possible to have a manager handle all the translations of roles within their department, with an option to delegate tasks to a colleague. An action triggered by the manager may also result in a workflow notification to a license manager. This allows managers to exactly determine and manage what happens within their department or cost center.
Detailed Access Rights
Because the system and application roles contain the detailed access rights for the application in question, the role can be implemented. The responsibility for the actual provision of network access lies within IT, as well as Functional/Technical Application Management. It is also possible to automate this part of the process (provisioning) with the help of identity management software.
The major advantage of implementing RBAC in this way is the speed of implementation. Where it takes other vendors a year, Tools4ever, for example, is able to create a first standard for organizations within two months. Added to this, customers can easily achieve SoD (Segregation of Duty), by refusing certain access rights in case of forbidden combinations of roles and departments. In case of downsizing initiatives, it will not be necessary to recreate the RBAC table from scratch.
The only thing that will have to be modified is the “Who are you” section, and this can be conveniently done in the HRM system. By taking the HRM system as the basis and continuously polling it, managers are ensured of the most up-to-date information and have a populated dashboard at their disposal with the function, department, location and cost center for all their staff. This requires a direct connector with the HRM system, since that is the source of all the information. There are multiple vendors that can provide a connector like this.
Pyramid
It is possible to catch this method in a pyramid running from the top to the bottom of the organization (top), via the department, location and function down to individual employees (basic layer). The top layer (organization and location) will exclusively include access rights that apply to all employees. This section can be populated right away. Organizations may wish to consider stop populating the RBAC table at the department/function level. The remaining details will be handled on an ad hoc basis, through a workflow. They will subsequently be able to further populate the pyramid and thus the RBAC table.
Conclusion
RBAC currently attracts the attention of many organizations because this access methodology allows them to assign and revoke access rights in an efficient, transparent and controllable way. An RBAC implementation does not necessarily have to be complex. It is often recommended that organizations use a stacked approach to RBAC and to automate the assignment of access rights on an organizational and departmental level (through their HRM system), focusing on the top 50 combinations of functions and departments. This should enable a quick and convenient population up to 80 percent of the RBAC table. The detailed access rights of the remaining 20 percent cause organizations a great many headaches. To handle these remaining 20 percent in a pragmatic way using the RBAC model, organizations should have their managers handle the assignment of access rights to employees. The managers will be able to determine and modify the detailed access rights for their team.
Over time, the RBAC model will allow organizations to collect more and more information on the choices and selections made during the assignment of access rights. After a review cycle by the security officer, this information can be used to further enrich the RBAC table and to increase the 80 percent to perhaps 100 percent. Knowledge and feedback from the organization help to beat the RBAC monster.
For more information, please visit our website.
Organizations are faced with two pitfalls when it comes to assigning and revoking access rights. To assign rights, they often create a copy of a colleague’s account, also known as “template user.” This creates the risk that new employees are provided with unwarranted access to business applications and systems.
Added to which, organizations do not pay sufficient attention to revoking access rights when they create copies of existing user accounts. After all, their most important consideration is enabling new employees to do their job rather than checking for excess access rights. Dictated by standards, IT auditors and unnecessary licensing costs for suites including Microsoft Visio, Projects and Adobe CS, organizations have come to acknowledge the importance of a responsible handling of authorizations.
HR System as Basis
RBAC is a technique for implementing authorization management across organizations. This technique involves assigning rights on the basis of RBAC roles rather than assigning access rights to individual users. These roles in turn comprise the department, function, location and cost center associated with an employee.
Although organizations acknowledge the importance of RBAC, they are cautious about implementing this technique. RBAC has undeservedly gained the reputation that it involves a large effort – particularly in terms of management overhead – as well as lengthy and complex implementation cycles. In fact, RBAC is viewed as a monstrous entity. This misunderstanding is the result of an incorrect approach to its implementation.
In the past, the people who have been responsible for RBAC implementations were under the illusion that 100 percent of the staff could be molded into a single RBAC role. More often than not, there are as many functions in an organization as there are employees. This results in an endless list of roles in relation to resources, so that assigning an RBAC role to each employee becomes a lengthy process. Another question is whether everybody and everything has to be included in RBAC. Isn’t RBAC exclusively needed for user groups, which require a careful authorization set-up from the point of view of risk management, regulations and efficiency?
In any case, RBAC can be handled differently -- quicker and with less complexity.
RBAC as Lego Blocks
The advice for RBAC is to use a bottom-up and stacked approach. This approach involves the creation of a foundation that can be expanded at a later stage. After all, the majority of employees need access to standard applications such as Microsoft Office and Outlook. For a large number of employees, access rights on the organizational level (logging in, word processing, e-mail) and departmental level (access to the department share and departmental applications) can be assigned right away. In this context it is important to determine the top 50 combinations of department and function for active employees.
The HRM system is an excellent source for determining these combinations. This will pave the way for a role model on the organizational level. As an example, a hospital in Lynbrook has a surgery department that includes the functional role of “Nurse.” The organizational role can be created on the basis of the function; department and location found in the HRM system. These are “Nurse” and “Surgery Nurse,” respectively. After “Nurse” and “Surgery” have been defined, a nurse in the surgery department will automatically be identified as “Nurse + Surgery” and assigned the stacked roles.
Using this method, it becomes very easy to populate more than 80 percent of the RBAC table. A major benefit of this approach is that new employees can start working on their first day while time is liberated for the assignment of specific rights on an application and system level.
A subsequent step is to translate these organizational roles into application or system roles, which will comprise the remaining 20 percent of the RBAC table. The basis for this is already present and now further stacking will take place. The assignment of the system roles can easily be handled by the relevant manager. After all, managers, rather than HR, are responsible for the access rights of their employees. On the basis of a special workflow, the relevant manager will be prompted by an e-mail notification and/or web form to specify the access rights and applications for the employee concerned. The RBAC software can subsequently record the manager’s choices to further populate the empty sections of the RBAC table and eventually achieve a fully populated table.
This means it is possible to have a manager handle all the translations of roles within their department, with an option to delegate tasks to a colleague. An action triggered by the manager may also result in a workflow notification to a license manager. This allows managers to exactly determine and manage what happens within their department or cost center.
Detailed Access Rights
Because the system and application roles contain the detailed access rights for the application in question, the role can be implemented. The responsibility for the actual provision of network access lies within IT, as well as Functional/Technical Application Management. It is also possible to automate this part of the process (provisioning) with the help of identity management software.
The major advantage of implementing RBAC in this way is the speed of implementation. Where it takes other vendors a year, Tools4ever, for example, is able to create a first standard for organizations within two months. Added to this, customers can easily achieve SoD (Segregation of Duty), by refusing certain access rights in case of forbidden combinations of roles and departments. In case of downsizing initiatives, it will not be necessary to recreate the RBAC table from scratch.
The only thing that will have to be modified is the “Who are you” section, and this can be conveniently done in the HRM system. By taking the HRM system as the basis and continuously polling it, managers are ensured of the most up-to-date information and have a populated dashboard at their disposal with the function, department, location and cost center for all their staff. This requires a direct connector with the HRM system, since that is the source of all the information. There are multiple vendors that can provide a connector like this.
Pyramid
It is possible to catch this method in a pyramid running from the top to the bottom of the organization (top), via the department, location and function down to individual employees (basic layer). The top layer (organization and location) will exclusively include access rights that apply to all employees. This section can be populated right away. Organizations may wish to consider stop populating the RBAC table at the department/function level. The remaining details will be handled on an ad hoc basis, through a workflow. They will subsequently be able to further populate the pyramid and thus the RBAC table.
Conclusion
RBAC currently attracts the attention of many organizations because this access methodology allows them to assign and revoke access rights in an efficient, transparent and controllable way. An RBAC implementation does not necessarily have to be complex. It is often recommended that organizations use a stacked approach to RBAC and to automate the assignment of access rights on an organizational and departmental level (through their HRM system), focusing on the top 50 combinations of functions and departments. This should enable a quick and convenient population up to 80 percent of the RBAC table. The detailed access rights of the remaining 20 percent cause organizations a great many headaches. To handle these remaining 20 percent in a pragmatic way using the RBAC model, organizations should have their managers handle the assignment of access rights to employees. The managers will be able to determine and modify the detailed access rights for their team.
Over time, the RBAC model will allow organizations to collect more and more information on the choices and selections made during the assignment of access rights. After a review cycle by the security officer, this information can be used to further enrich the RBAC table and to increase the 80 percent to perhaps 100 percent. Knowledge and feedback from the organization help to beat the RBAC monster.
For more information, please visit our website.
Friday, October 26, 2012
Five reasons to use Role Based Access Control (RBAC)
• Improve Security of Systems and Applications
Do you know exactly who has access to what at your company? Often when new employees need accounts a copy of another account is made, which is called a ‘template user’. This creates a security risk since access to applications and systems are also copied and are often forgotten to be revoked. RBAC allows you to easily see the resources that employees have available to them based upon their role in the organization. This will allow you to ensure that nobody has access to secure systems and applications that are not supposed to, and make changes as necessary.
• Easily Make Security Changes
Employees frequently change roles and jobs within an organization and subsequently need different access privileges. With RBAC in place, it can handle changes that occur no matter how difficult. Complex changes such as a part time employee working to two different departments can also be handled without significant effort.
• Easily Meet Audit Requirements
Using RBAC makes meeting strict audit requirement easy. Industries such as healthcare and financial, need to be able to show that their information is secure and have had more strict requirements put on them in recent years. With RBAC companies can easily ensure that secure information remains that way, and can easily access this information for audits.
• Increase Productivity of Employees
Assigning new employees their correct access rights can be time consuming and for both the IT employee and the end user. With RBAC, new employees do not have to wait for their privileges to be assigned and are able to begin working with the necessary applications such as word processing, email and departmental shares, and then receive more specific privileges later on.
• Reduce costs
Since the IT staff can see which applications are being used and how often they can determine which are necessary for their business needs. Those that are not being accessed can be eliminated, or have licensing counts reduced, thus saving the organization money.
For more information on RBAC, please visit our website
Friday, October 19, 2012
Two Factor Authentication
According to Wikipedia, Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has") and an inherent factor ("something the user is").
As organizations of every type are more concerned with security of their networks, they are increasingly turning to enhancing the normal user name and password credentials with an additional strong authentication method. Banking has used this concept for years with the ATM card – you must have the physical card and a PIN. Laptop manufactures have been providing optional fingerprint readers for years as well. The question is how can two factor authentication provide extra security to an organization while not requiring a large capital outlay. Two options are becoming commonplace.
Password Resets
The concept of using challenge questions –what’s your mother maiden name, where you born, etc. - has been around for many years. Banking websites are the most common example of this concept. Forget your password and successfully answer the challenge questions to reset your password. With the advent of smart phones and text messaging, many companies have already added a second factor – a one-time use PIN code delivered via email or SMS must be provided in addition to the answers. Many vendors are producing products with identical functionality for the corporate network as well. The first iterations of these solutions relied on the challenge questions exclusively to allow password resets. As social engineering concerns have come in to play, vendors have been quick to add 2FA to these solutions as well. The delivery of a PIN via text messaging to the user’s cell phone number on file insures the reset is being performed by the actual user.
Another benefit of these challenge questions is that they can be utilized by the helpdesk to positively identity a caller. When an employee phones the helpdesk requesting access to a new applications or being added to a share or distribution group, the helpdesk can access the questions and masked answers. For example, the answer to what color is your car could display as X_XX_ and the caller would be asked to provide the 2nd and 5th characters. If the correct characters are provided, it insures the caller’s identity. By masking the answers, the helpdesk employees are never exposed to the condfintial answers. A 2nd factor of authentication – delivering a PIN to an email or via SMS – can further enhance the security. The number of questions /answer to be provided can be dictated by company policy.
SSO with Strong Authentication
Many technology leaders acknowledge the benefits associated with an SSO solution – productivity gains reducing the number of required credentials to from many to one and reducing calls to the helpdesk for forgotten password. A common concern is that if the one set of credentials is hacked, access to all systems can be exposed. In this case, 2FA can eliminate this perceived risk. In this scenario, the end user present their ID page ("something the user has") to a reader attached to the machine, enters his or her credentials ("something the user has") and then as an extra layer of protection, enters a PIN code when accessing highly sensitive systems. It is also feasible that the ID badge replaces the credentials and the PIN becomes the second factor.
Summary
Two Factor authentication has caught on rapidly in the Business to Consumer arena. Functionality such as self-password reset was originally implemented to reduce call volume and security of this functionality has been strengthened in response to identity theft and social engineering. Use of secondary identification methods are now widely available to businesses interested in providing the same secure functionality to employees.
For more information, please visit our website to learn more on password resets with 2FA and strong authentication.
As organizations of every type are more concerned with security of their networks, they are increasingly turning to enhancing the normal user name and password credentials with an additional strong authentication method. Banking has used this concept for years with the ATM card – you must have the physical card and a PIN. Laptop manufactures have been providing optional fingerprint readers for years as well. The question is how can two factor authentication provide extra security to an organization while not requiring a large capital outlay. Two options are becoming commonplace.
Password Resets
The concept of using challenge questions –what’s your mother maiden name, where you born, etc. - has been around for many years. Banking websites are the most common example of this concept. Forget your password and successfully answer the challenge questions to reset your password. With the advent of smart phones and text messaging, many companies have already added a second factor – a one-time use PIN code delivered via email or SMS must be provided in addition to the answers. Many vendors are producing products with identical functionality for the corporate network as well. The first iterations of these solutions relied on the challenge questions exclusively to allow password resets. As social engineering concerns have come in to play, vendors have been quick to add 2FA to these solutions as well. The delivery of a PIN via text messaging to the user’s cell phone number on file insures the reset is being performed by the actual user.
Another benefit of these challenge questions is that they can be utilized by the helpdesk to positively identity a caller. When an employee phones the helpdesk requesting access to a new applications or being added to a share or distribution group, the helpdesk can access the questions and masked answers. For example, the answer to what color is your car could display as X_XX_ and the caller would be asked to provide the 2nd and 5th characters. If the correct characters are provided, it insures the caller’s identity. By masking the answers, the helpdesk employees are never exposed to the condfintial answers. A 2nd factor of authentication – delivering a PIN to an email or via SMS – can further enhance the security. The number of questions /answer to be provided can be dictated by company policy.
SSO with Strong Authentication
Many technology leaders acknowledge the benefits associated with an SSO solution – productivity gains reducing the number of required credentials to from many to one and reducing calls to the helpdesk for forgotten password. A common concern is that if the one set of credentials is hacked, access to all systems can be exposed. In this case, 2FA can eliminate this perceived risk. In this scenario, the end user present their ID page ("something the user has") to a reader attached to the machine, enters his or her credentials ("something the user has") and then as an extra layer of protection, enters a PIN code when accessing highly sensitive systems. It is also feasible that the ID badge replaces the credentials and the PIN becomes the second factor.
Summary
Two Factor authentication has caught on rapidly in the Business to Consumer arena. Functionality such as self-password reset was originally implemented to reduce call volume and security of this functionality has been strengthened in response to identity theft and social engineering. Use of secondary identification methods are now widely available to businesses interested in providing the same secure functionality to employees.
For more information, please visit our website to learn more on password resets with 2FA and strong authentication.
Friday, October 12, 2012
Top Ways the Education Industry Could Benefit from Identity and Access Management Software
Free up time of IT employees
IT and helpdesk employees are often bogged down with the monotonous task of account creation. Though it is not difficult, it is extremely time consuming for staff who could be working on more technical projects. Minnetonka Public Schools IT department was dealing with this situation. They had developed their own in house solution for account management but still had to handle account creations manually, which was time consuming. The process consisted of data specialists retrieving information from students, employees and parents and then relaying it to the IT staff, who would manually manage the accounts. With this process, four to five employees were often involved in creating one account. Minnetonka decided to automate their account management process so that accounts are provisioned automatically for students, employees and teachers without much human intervention. By automating the process, they were able to easily free up the time of three full time employees. Now only one person has to touch account creation.
Reduce user pollution and keep systems up to date
With so much movement of students each semester, it is often difficult for the IT department to keep systems up to date with current student information and accounts. It is also time consuming to disable all accounts for students upon graduation and, as a result, many accounts were left active. This was the problem that Fitchburg State College was facing. They had over 40,000 accounts in Active Directory which did not accurately reflect their actual environment. Although they attempted to go through and delete inactive accounts, they realized this was not a good method since they were inadvertently deleting active users, such as students continuing on to graduate studies. By automating their account management, when a terminated or graduated flag is set in the SIS, the account is automatically disabled according to preset rules. The IT department can now easily ensure that there is not user pollution and their accounts are always up to date with the correct information and accounts.
Reduce helpdesk tickets
According to a survey conducted by Tools4ever, one of the most common helpdesk calls is for resetting a user password. This issue does not require much skill from the helpdesk employee but can be very time consuming when they are receiving many password reset calls a day. Not only do they have to deal with password calls, but, especially in the beginning of the school year, students and employees are calling due to their accounts being incorrect or not being able to access the systems and applications. Pinellas County School District was one such school facing these issues. The IT department was spending a lot of time correcting account problems, and was receiving a large amount of password reset calls especially after a summer break. To resolve these issues, Pinellas implemented a self service reset password solution so end users can easily and securely reset their own passwords by answering a series of challenge questions they had previously enrolled with. To deal with their many account issues, they also implemented an automated account management solution. Now when an account is created in Active Directory, it automatically populates the parent portal, student information system and any other systems as required, eliminating a tedious and potentially error prone manual process.
Always have correct access to accounts
Students and teachers often complete work for classes after administration school hours and need to access certain applications and systems. If they forget their password and are locked out of their account, they cannot access the resources they need since the helpdesk is not available after school hours. Harrison College has 13 campuses and also offers several online courses which can start as late as 10 PM. With the helpdesk only being available until 5 PM, users that had issues with passwords after closing time could not resolve them until the next day. By implementing a self service reset password solution, Harrison was able to provide users the option to safely and securely reset their own passwords without having to contact the helpdesk. This easily eliminated the issue of having password issues after the helpdesk closed and allowed users to quickly reset their passwords and continue with their studies.
Ensure proper access rights
In schools, students often need certain access rights depending on what grade they are in or if they have certain privileges. At North Hunterdon-Voorhees School District this was specifically the case concerning student access to the internet. In order for students to be allowed to access the internet they need to have a permission form filled out by their parent. The HR department would then have to add the student to the correct security group. This process was handled manually and was time consuming and often resulted in error. By implementing a user management solution, the registrar now simply checks a box on a student’s profile, and internet access is granted. This has saved the district an enormous amount of time and ensured that students have the correct access rights.
For more information, please visit our website
Friday, September 21, 2012
How to control authentication and authorizations in healthcare environments?
Active Directory is the central source for users to access applications and systems. In the context of information security, it is important to keep user accounts in the Active Directory up-to-date and accurate. As an example, this will prevent former employees from being able to access the network and systems if their user account is left active. Despite the high requirements for information security, many healthcare organizations are still manually managing user accounts on a routine basis. Information regarding new employees is being passed, typically on paper, between the hiring manager, HR department and the IT department, who, in the end, manually create accounts based on the available - and often inaccurate - information. This situation is less than optimal and can lead to risks, such as:
In order for healthcare organizations to mitigate these risks, they need to take control over their authentication and authorization management. By using an automated solution for user account management, organizations can greatly optimize the processes and reduce risks. CentraState Healthcare System, a non-profit community health organization in Freehold (New Jersey) is a leader in this regard and has achieved an efficient and streamlined process for user account management.
Do more with less
Regulatory compliance, and the ever growing need of doing more with less, are reasons that CentraState continually strives to improve their internal IT processes. CentraState Healthcare System recently embarked on a project to find a secure and automated method for managing the user account lifecycle in Active Directory and Exchange. Lauro Araya, Network Administrator, stated, “When the search started, our IT-staff was managing the process manually utilizing Microsoft Active Directory Users and Computers. This was a time consuming process and we wanted to avoid this manual intervention because it led to risks and errors.”
To be able to effectively manage the user account lifecycle, CentraState Healthcare System asked Identity & Access Management vendor Tools4ever to create a connector between their HR system Lawson, and Active Directory. The process begins when pertinent information of a newly hired employee is entered into the Lawson HR system. Conversely, as employees resign, a termination date is placed in the HR system. On a scheduled basis, Tools4ever’s User Management Resource Administrator application executes a query to capture all employee data and begins the process of updating Active Directory. If the account already exists in AD, any updates, such as name, location or department changes are appropriately processed.
If the account does not exist, it is created along with an Exchange mailbox, home directory and assigned to the appropriate Group Profiles based on job title and department. If the employee start date is in the future, the account is created but put in a disabled state until that date is reached and then it is activated. When an employee termination occurs, the information is processed by the software and accounts are immediately disabled and then deleted after a specific period of time has passed.
Tools4ever made several customizations to suit the special needs of CentraState, such as the naming conventions for Active Directory and Exchange mailboxes. Business logic was also defined within the product to allow the automatic placement of users into the correct OU based upon their specific location and department. This information is also utilized to insure mailboxes are created within the proper mail server. Information that is created during the Active Directory process, such as user account name and e-mail address, is fed back to the Lawson database twice a day. This is done to insure that Lawson has accurate information whenever anything changes in Active Directory.
Compliance with industry standard regulations
Approximately two weeks after commencement, the entire project was implemented and operational. The reduction in time spent by the staff managing the user account lifecycle was tremendous. Commenting on the project, Mark Handerhan, IT Manager, stated, “This implementation was one of the most highly valuable, cost effective solutions that I’ve ever implemented. We have taken the manual intervention out of the equation for many mundane AD /user tasks, such as disabling network accounts. User accounts are now disabled in real-time once terminated in Lawson. I believe efficiency is the best seller here.”
Mark Handerhan continues: “Besides the time reduction, the implementation provides us with a greater level of network security, while also assuring compliance with industry standard regulations such as HIPAA.” In summary, the IT staff at CentraState can spend more time on mission critical support and planning while eliminating the requirements to spend time on routine user account tasks.
For more information, please visit our website.
- A large workload for the IT department with manual and repetitive tasks;
- Long turnaround time creating user accounts and the risk of making errors during the manual copying of data (such as typos in the name of the employee);
- The risk that new employees receive the same rights as an employee in a similar function when they should not. When rights are copied there is a risk that employees receive access rights to applications and systems they really don’t require access to;
- Risk of pollution in Active Directory due to accounts of employees that have left the organization remaining active. Pollution in the Active Directory due to user accounts of former employees has a negative effect on the score of an audit and compliancy regulations.
In order for healthcare organizations to mitigate these risks, they need to take control over their authentication and authorization management. By using an automated solution for user account management, organizations can greatly optimize the processes and reduce risks. CentraState Healthcare System, a non-profit community health organization in Freehold (New Jersey) is a leader in this regard and has achieved an efficient and streamlined process for user account management.
Do more with less
Regulatory compliance, and the ever growing need of doing more with less, are reasons that CentraState continually strives to improve their internal IT processes. CentraState Healthcare System recently embarked on a project to find a secure and automated method for managing the user account lifecycle in Active Directory and Exchange. Lauro Araya, Network Administrator, stated, “When the search started, our IT-staff was managing the process manually utilizing Microsoft Active Directory Users and Computers. This was a time consuming process and we wanted to avoid this manual intervention because it led to risks and errors.”
To be able to effectively manage the user account lifecycle, CentraState Healthcare System asked Identity & Access Management vendor Tools4ever to create a connector between their HR system Lawson, and Active Directory. The process begins when pertinent information of a newly hired employee is entered into the Lawson HR system. Conversely, as employees resign, a termination date is placed in the HR system. On a scheduled basis, Tools4ever’s User Management Resource Administrator application executes a query to capture all employee data and begins the process of updating Active Directory. If the account already exists in AD, any updates, such as name, location or department changes are appropriately processed.
If the account does not exist, it is created along with an Exchange mailbox, home directory and assigned to the appropriate Group Profiles based on job title and department. If the employee start date is in the future, the account is created but put in a disabled state until that date is reached and then it is activated. When an employee termination occurs, the information is processed by the software and accounts are immediately disabled and then deleted after a specific period of time has passed.
Tools4ever made several customizations to suit the special needs of CentraState, such as the naming conventions for Active Directory and Exchange mailboxes. Business logic was also defined within the product to allow the automatic placement of users into the correct OU based upon their specific location and department. This information is also utilized to insure mailboxes are created within the proper mail server. Information that is created during the Active Directory process, such as user account name and e-mail address, is fed back to the Lawson database twice a day. This is done to insure that Lawson has accurate information whenever anything changes in Active Directory.
Compliance with industry standard regulations
Approximately two weeks after commencement, the entire project was implemented and operational. The reduction in time spent by the staff managing the user account lifecycle was tremendous. Commenting on the project, Mark Handerhan, IT Manager, stated, “This implementation was one of the most highly valuable, cost effective solutions that I’ve ever implemented. We have taken the manual intervention out of the equation for many mundane AD /user tasks, such as disabling network accounts. User accounts are now disabled in real-time once terminated in Lawson. I believe efficiency is the best seller here.”
Mark Handerhan continues: “Besides the time reduction, the implementation provides us with a greater level of network security, while also assuring compliance with industry standard regulations such as HIPAA.” In summary, the IT staff at CentraState can spend more time on mission critical support and planning while eliminating the requirements to spend time on routine user account tasks.
For more information, please visit our website.
Friday, September 7, 2012
Allow the helpdesk focus on more important issues than simple password resets
Using a username and password to log on to applications and systems is a common method of authentication. Various laws and regulations in the healthcare industry require that access security is tightened and that passwords meet certain complexity requirements such as minimum length, use of special characters, use of an uppercase letter, etc. In addition, a frequent requirement is for passwords to be changed after a certain period of time has elapsed. With the introduction of complex passwords, it is often difficult for employees to remember their Active Directory password, especially after a vacation. This leads to a significant increase in the number of password reset calls to the helpdesk.
On average, 25% of the calls to a helpdesk are estimated to be password-related, such as resetting forgotten passwords. The IT staff is burdened with resolving these calls, resulting in an increased administrative load for the IT department. At the same moment, the end-user also loses productive time because he or she is locked out of the network temporarily. Wouldn’t it be great if the IT department was less burdened with their duties and could focus on resolving more critical calls?
Improvement of password management
South County Hospital, a 100 bed, 1,200 employee acute care hospital located in Wakefield, Rhode Island, was facing this exact problem. The hospital’s helpdesk was averaging between 20 to 25 password resets a month, each requiring about half an hour to complete due to the arduous process of receiving the call, placing a work order, resetting the password and then contacting the users, most of whom are busy clinicians.
With a focus on lean management, and an effort to make processes as efficient as possible, the hospital began to look for ways to improve password management and reduce the number of support calls to the helpdesk. By improving this process, the hospital also wanted to enhance the user’s experience so users did not have to wait on the process and could easily reset their own passwords to get on with their jobs.
When looking for a vendor with a solution to their password management issues, Tools4ever was a front runner as South County had previous experience utilizing another of their products, RealLastLogon. Tools4ever’s Self Service Reset Password Manager (SSRPM) was able to resolve all of the password reset issues in their environment and integrate with their Outlook web access page, a top priority at the hospital. SSRPM was also capable of integrating with Meditech, the hospital information system, to synchronize the password resets.
Self service password reset
With SSRPM, users can always reset their password and will no longer depend on the operating hours of the service desk or helpdesk. Before resetting the password, it is critical that users identify themselves by answering a few personal challenge questions. This is safer than the current method where it is possible for the user to call the helpdesk and can claim to be someone else. On the Windows login screen a new button is added, "Forgot My Password" which the end user can click if the password is forgotten. By answering a challenge questions such as, "What is my mother’s maiden name?” the user can identify themself and securely reset their password.
The helpdesk can also directly ask personal questions to identify a caller. The helpdesk employee does not see the full answers but, for example only the second and last character of the answer to positively identify the caller.
When entering the new password the end user is required to comply with the password complexity requirements of the organization. While entering the password the complexity rules that are met are flagged with a green check. For example: "Minimum password length of 10 characters: OK". There are no longer the cryptic error messages.
Besides the possibility of identifying the user by answering personal questions, Advanced Authentication is also possible, via enhanced authentication including email and SMS authentication. This means in addition to the regular questions that need to be answered, there is an an additional question of "What is the PIN code you just received on your cell phone?". This form of authentication is referred to as two-factor authentication; something you know (answers) and something you have such as a mobile phone.
Easily customize and integrate with systems
South County implemented SSRPM in their environment and were able to integrate the solution with all of the applications at the hospital. SSRPM is set up to work with three different technologies at the hospital; Outlook Web Access for email, the standard Windows credential provider when logging onto to the computer, as well as web access for people working outside the network. The hospital was also able to modify the security questions which users would be asked when resetting their passwords. “The ability to choose questions that have an answer that only the user would know, yet are easy to remember, is important”, said Ken Hedglen, Information Technology Manager at South County Hospital.
With SSRPM, South County’s users no longer need to spend precious time contacting the helpdesk and waiting for a reply to their password reset request. They are now able to answer a series of security questions and quickly reset their own password. The hospital liked that they did not need to provide any training on the product due to it being self-explanatory. “Any system that we implement that we don’t hear anything about after the fact is good, because no news is good news when it comes to systems” said Hedglen. SSRPM has also been beneficial to the helpdesk as they can handle other types of work orders. “The helpdesk can now focus on more important issues rather than simple password resets and are much more productive.”
For more information on Tools4ever solutions, please visit our website.
On average, 25% of the calls to a helpdesk are estimated to be password-related, such as resetting forgotten passwords. The IT staff is burdened with resolving these calls, resulting in an increased administrative load for the IT department. At the same moment, the end-user also loses productive time because he or she is locked out of the network temporarily. Wouldn’t it be great if the IT department was less burdened with their duties and could focus on resolving more critical calls?
Improvement of password management
South County Hospital, a 100 bed, 1,200 employee acute care hospital located in Wakefield, Rhode Island, was facing this exact problem. The hospital’s helpdesk was averaging between 20 to 25 password resets a month, each requiring about half an hour to complete due to the arduous process of receiving the call, placing a work order, resetting the password and then contacting the users, most of whom are busy clinicians.
With a focus on lean management, and an effort to make processes as efficient as possible, the hospital began to look for ways to improve password management and reduce the number of support calls to the helpdesk. By improving this process, the hospital also wanted to enhance the user’s experience so users did not have to wait on the process and could easily reset their own passwords to get on with their jobs.
When looking for a vendor with a solution to their password management issues, Tools4ever was a front runner as South County had previous experience utilizing another of their products, RealLastLogon. Tools4ever’s Self Service Reset Password Manager (SSRPM) was able to resolve all of the password reset issues in their environment and integrate with their Outlook web access page, a top priority at the hospital. SSRPM was also capable of integrating with Meditech, the hospital information system, to synchronize the password resets.
Self service password reset
With SSRPM, users can always reset their password and will no longer depend on the operating hours of the service desk or helpdesk. Before resetting the password, it is critical that users identify themselves by answering a few personal challenge questions. This is safer than the current method where it is possible for the user to call the helpdesk and can claim to be someone else. On the Windows login screen a new button is added, "Forgot My Password" which the end user can click if the password is forgotten. By answering a challenge questions such as, "What is my mother’s maiden name?” the user can identify themself and securely reset their password.
The helpdesk can also directly ask personal questions to identify a caller. The helpdesk employee does not see the full answers but, for example only the second and last character of the answer to positively identify the caller.
When entering the new password the end user is required to comply with the password complexity requirements of the organization. While entering the password the complexity rules that are met are flagged with a green check. For example: "Minimum password length of 10 characters: OK". There are no longer the cryptic error messages.
Besides the possibility of identifying the user by answering personal questions, Advanced Authentication is also possible, via enhanced authentication including email and SMS authentication. This means in addition to the regular questions that need to be answered, there is an an additional question of "What is the PIN code you just received on your cell phone?". This form of authentication is referred to as two-factor authentication; something you know (answers) and something you have such as a mobile phone.
Easily customize and integrate with systems
South County implemented SSRPM in their environment and were able to integrate the solution with all of the applications at the hospital. SSRPM is set up to work with three different technologies at the hospital; Outlook Web Access for email, the standard Windows credential provider when logging onto to the computer, as well as web access for people working outside the network. The hospital was also able to modify the security questions which users would be asked when resetting their passwords. “The ability to choose questions that have an answer that only the user would know, yet are easy to remember, is important”, said Ken Hedglen, Information Technology Manager at South County Hospital.
With SSRPM, South County’s users no longer need to spend precious time contacting the helpdesk and waiting for a reply to their password reset request. They are now able to answer a series of security questions and quickly reset their own password. The hospital liked that they did not need to provide any training on the product due to it being self-explanatory. “Any system that we implement that we don’t hear anything about after the fact is good, because no news is good news when it comes to systems” said Hedglen. SSRPM has also been beneficial to the helpdesk as they can handle other types of work orders. “The helpdesk can now focus on more important issues rather than simple password resets and are much more productive.”
For more information on Tools4ever solutions, please visit our website.
Wednesday, August 29, 2012
User and access management in Cloud applications – a challenge
It appears that ‘the cloud’ continues to expand within the commercial world. Google Apps, Salesforce.com, GoToMeeting, Office 365, itslearning, etc. are all being widely deployed. Controlling who has access to specific applications and corresponding data is even more complicated with cloud applications. Providers of cloud solutions confer little priority to developing better management of user accounts and access rights in their applications. Consequently, user and access management in cloud applications entails a number of challenges:
Tools4ever acknowledged that the migration of applications to the cloud would bring new challenges in the field of user and account management. With this in mind, Tools4ever developed links (connectors) that offer the following functionality:
- Federation is not a replacement for provisioning - Working with cloud applications means more authentication sources; Active Directory in one’s own corporate network and one or more authentication sources, for example AD, LDAP directory or database in the cloud. There are only a few possibilities for synchronizing user accounts between both authentication sources, (like AD Federation Services from Microsoft and the SAML standard. In this manner, end-users can log in transparently to the cloud applications. However, federation is not a replacement for provisioning and basic user account management.
- Too many manual actions - Providers who do not support federation frequently offer a web-browser that managers can use to control access to the cloud application directly. This necessitates a sequence of manual operations and is time-consuming and error-prone. Also, when it’s possible to import a basic CSV file into the cloud application, it still requires manual intervention by the application manager.
- Different conventions for naming and passwords - Conventions governing naming standards and passwords are often inconsistent between network and cloud applications. In the network, a user ID might be based on the log-in name, and in the cloud it might be the e-mail address. This complicates exchanging user account details between the environments, and many times, differences also apply to password conventions. When extremely complex passwords are required in the corporate network, cloud applications might not be able to handle this type of password. The possibility also exists that the cloud application requires a different duration for password expiration than within the corporate network.
- Missing organizational structure - The reporting hierarchy structure within an organization is often utilized to assign authorizations to employees based on their role or position, commonly referred to as Role Based Access Control (RBAC). Within the corporate network this structure is contained in an HR system or within Active Directory. Cloud applications normally cannot translate this organizational structure, and the web based provisioning functionality they offer does not offer a robust method for incorporating this level of detail. Naturally, it is possible to transfer the entire organizational structure to the cloud application, but this requires an enormous volume of management activity when something in the hierarchy changes.
- What if the connection drops? - Providers who offer links between the network and cloud applications often use event-based synchronization between the systems. However, they do not have a procedure in place to deal with a temporary drop in the connection. Cloud applications do not provide any guarantee or notification that synchronization completed successfully.
- Reject bulk actions - Performing bulk actions in cloud applications is occasionally rejected by the application. Some cloud applications which impose restrictions on the number of actions that can be carried out in one pass, or require that no management activities are undertaken during working hours to prevent overloads on their network.
Tools4ever acknowledged that the migration of applications to the cloud would bring new challenges in the field of user and account management. With this in mind, Tools4ever developed links (connectors) that offer the following functionality:
- Password synchronization. If a password is changed in Active Directory, this change will be automatically implemented (synchronized) in the cloud application;
- Auto provisioning of user accounts linked to UMRA's proprietary user account management process, ensures synchronization of user accounts for employees through the HR system, as well as any changes made by the helpdesk, managers and even end users. User accounts are created, modified, enabled, disabled and removed etc. in a completely automated way;
- Integrated access management from the end users to the cloud application. Accesses to various components of the cloud application are assigned/revoked on the basis of the end user's organizational role. UMRA features an advanced RBAC module that controls access to the cloud application on the basis of the department/job title in the HR system, as well as the choices that managers have made for their employees;
- A centralized dashboard that provides IT managers with an overview of the cloud applications deployed by each user. The dashboard can be used to control the license costs as well as for logging and reporting purposes;
- Single Sign On for all cloud and web applications based on existing Active Directory credentials. This means that users are no longer required to remember a host of user names and passwords.
Friday, August 3, 2012
Customer Satisfaction and Password Resets
Two recent customers of Tools4ever, a bank and a car dealership, brought to light a new value proposition of our password management solutions that I had not previously thought of. In both cases, these clients have a great number of employees that spend the majority of their time interacting with clients. Can you imagine a client’s frustration if a bank teller needed to wait on hold for 10-15 minutes to get the helpdesk online to reset a password? Worse yet, what if it was a Saturday and the helpdesk was unavailable, how much productivity would be lost?
Both of these organizations turned to Tools4ever for assistance. In the case of the bank, they were receiving 3-5 calls per day for password resets. By implementing Self Service Reset Password Manager (SSRPM) and Enterprise Single Sign On Manager (ESSOM), they were able to drive that number to virtually zero calls. ESSOM reduces the number of credentials a user needs to remember down to one and SSRPM allows self-service should the employee forget that set.
The auto dealership had an SSO solution that was being phased out by the vendor and support was coming to an end. They knew the calls to the helpdesk would increase dramatically as users would go from 1 set of credentials to needing to remember between 5 and 10. Implementing the Tools4ever ESSOM solution fit the bill. All of their dealer and financial applications were easily accommodated. Taking it one step further, all employees were “pre-enrolled” into ESSOM. Their user names and password were entered into the database and encrypted. This means the end user never even are made aware of what their credentials are for the various applications. If some leaves, shutting off their ESSOM profile prevents access into any application.
I am always amazed at the new ways our customers find to utilize our products to increase productivity and, in this case, help insure their customers have a more positive experience. For more information, please visit our website.
Both of these organizations turned to Tools4ever for assistance. In the case of the bank, they were receiving 3-5 calls per day for password resets. By implementing Self Service Reset Password Manager (SSRPM) and Enterprise Single Sign On Manager (ESSOM), they were able to drive that number to virtually zero calls. ESSOM reduces the number of credentials a user needs to remember down to one and SSRPM allows self-service should the employee forget that set.
The auto dealership had an SSO solution that was being phased out by the vendor and support was coming to an end. They knew the calls to the helpdesk would increase dramatically as users would go from 1 set of credentials to needing to remember between 5 and 10. Implementing the Tools4ever ESSOM solution fit the bill. All of their dealer and financial applications were easily accommodated. Taking it one step further, all employees were “pre-enrolled” into ESSOM. Their user names and password were entered into the database and encrypted. This means the end user never even are made aware of what their credentials are for the various applications. If some leaves, shutting off their ESSOM profile prevents access into any application.
I am always amazed at the new ways our customers find to utilize our products to increase productivity and, in this case, help insure their customers have a more positive experience. For more information, please visit our website.
Friday, July 27, 2012
Password Synch versus Single Sign On
In many implementations of our Self Service Reset Password Manager (SSRPM), a client will request that we send the new password to several other applications. On the surface, this seems like a simple request and a function that our product is certainly capable of providing. Once you delve deeper there are a number of mitigating factors that need to be considered:
When the number of systems expands much beyond that, the recommendation would be to lean towards a Single Sign On (SSO) solution that eliminates all of the issues above. SSO can capture and cache all credentials for any number of systems making the synch unnecessary. All users need to remember is one set of credential; their AD username and password. SSO can handle password resets automatically for all systems and complexity rules are a non-issue as they are addressed at the application level.
For more information, please visit our website.
- Are user names the same across all systems? If yes, implementing is easy. If no, a translation table will need to be built up to make sure JDOE in system 1 is equal to John_Doe in system 2 and DOEJ in system 3 and so on.
- Are password complexity rules the same in all systems? If yes, implementing is easy. If no, the most complex password requirement now becomes the defacto standard. Special character restrictions can also become an issue.
- What happens if System B is unavailable when the synch occurs? A password storage vault and error handling need to implemented to insure a reset can occur when the system becomes available.
- While SSPRM addresses forgotten passwords, how do we handle capture password changes and synch them?
When the number of systems expands much beyond that, the recommendation would be to lean towards a Single Sign On (SSO) solution that eliminates all of the issues above. SSO can capture and cache all credentials for any number of systems making the synch unnecessary. All users need to remember is one set of credential; their AD username and password. SSO can handle password resets automatically for all systems and complexity rules are a non-issue as they are addressed at the application level.
For more information, please visit our website.
Friday, July 20, 2012
Workflow and Identity Management
One topic we seem to running across with increased regularity is employees starting work before they are actually entered into the HR system. When this occurs, completely automating the user account creation breaks down. The employee will need access to the network, email and applications on their first day but HR can have a lag of a few days to a few weeks before all information is compiled, approved and entered into the HR system.
To resolve this issue, we have several creative methods to insure the employee has what he or she needs to be productive on Day 1. In at one recent customer install, we implemented Web forms to allow a hiring manager to start the user account lifecycle process. Basic information, such as name, department and title are entered into the web form. From there an automated workflow process takes over and routes system access request to the appropriate individuals. As approvals are granted, the system automatically creates the accounts in Active Directory, Office 365 and several other systems based on the user requirements. This process insures the new employee has what they need on their first day of work.
Once the automated process detects the user is added to the HR system, a synching process occurs and adds other relevant information to the Active Directory such as employee number, address, office location and cell number. The automated process also detects changes in employee status such as departmental transfers and takes appropriate actions to re-provision access as appropriate. The HR system also feeds termination dates to the User Management application to insure access is disabled. The HR team and managers also have a web form where they can mark an employee terminated immediately insuring that access to the network is revoked instantaneously.
To learn more about utilizing the Tools4ever User Management solution to delegate account creation responsibilities, please visit our website.
To resolve this issue, we have several creative methods to insure the employee has what he or she needs to be productive on Day 1. In at one recent customer install, we implemented Web forms to allow a hiring manager to start the user account lifecycle process. Basic information, such as name, department and title are entered into the web form. From there an automated workflow process takes over and routes system access request to the appropriate individuals. As approvals are granted, the system automatically creates the accounts in Active Directory, Office 365 and several other systems based on the user requirements. This process insures the new employee has what they need on their first day of work.
Once the automated process detects the user is added to the HR system, a synching process occurs and adds other relevant information to the Active Directory such as employee number, address, office location and cell number. The automated process also detects changes in employee status such as departmental transfers and takes appropriate actions to re-provision access as appropriate. The HR system also feeds termination dates to the User Management application to insure access is disabled. The HR team and managers also have a web form where they can mark an employee terminated immediately insuring that access to the network is revoked instantaneously.
To learn more about utilizing the Tools4ever User Management solution to delegate account creation responsibilities, please visit our website.
Thursday, May 31, 2012
Who is it?
The majority of calls received by the IT helpdesk require caller verification. After all, the helpdesk agent will want to be certain the caller is who they claim to be before granting access privileges to sensitive business applications. But how can helpdesk agents determine the identity of end users?
Many organizations require a physical form of identification in order for the helpdesk to make changes. For instance, employees will be asked to provide a document signed by their manager or a copy of their identification before being assigned any privileges. On the other hand, faster approaches, such as a simple call to the helpdesk, often involve too many risks.
In response to these challenges, Tools4ever has developed Helpdesk Caller ID Verification. This solution offers a simple mechanism for determining a caller’s identity. To this end, the caller will first be prompted to provide answers to a series of personal questions, such as “What is your mother’s maiden name?” Thanks to the use of an intelligent technique, the helpdesk agent will not see the answer to the question, but only parts of the answer (e.g. the first and last characters). The helpdesk agent will subsequently ask the caller which characters have to be entered.
Helpdesk Caller ID Verification does not require any additional hardware, making it a cost-efficient, easy to implement solution. This means organizations can easily verify the identity of callers in a secure fashion.
For more information, please visit our Website.
Many organizations require a physical form of identification in order for the helpdesk to make changes. For instance, employees will be asked to provide a document signed by their manager or a copy of their identification before being assigned any privileges. On the other hand, faster approaches, such as a simple call to the helpdesk, often involve too many risks.
In response to these challenges, Tools4ever has developed Helpdesk Caller ID Verification. This solution offers a simple mechanism for determining a caller’s identity. To this end, the caller will first be prompted to provide answers to a series of personal questions, such as “What is your mother’s maiden name?” Thanks to the use of an intelligent technique, the helpdesk agent will not see the answer to the question, but only parts of the answer (e.g. the first and last characters). The helpdesk agent will subsequently ask the caller which characters have to be entered.
Helpdesk Caller ID Verification does not require any additional hardware, making it a cost-efficient, easy to implement solution. This means organizations can easily verify the identity of callers in a secure fashion.
For more information, please visit our Website.
Monday, March 12, 2012
HOW TO INTRODUCE STRONG PASSWORDS : THREE SIMPLE STEPS
More and more organizations and IT departments need to introduce password complexity. Implementing strong passwords that have to change regularly is not easy, and can get a lot of resistance from the end users, or generate unnecessary helpdesk calls. Here are three simple tools to help you introduce complex passwords in your organization:
1.Password Self-Service:
In order to reduce the number of helpdesk calls that are password related, make users autonomous on the management and recovery of their passwords. Results: less password reset calls, 24x7 service, increased security (helpdesk identification)SSRPM (Self-Service Reset Password Manager) by Tools4ever is a good tool allowing for password resets through security questions or strong SMS authentication.
2. Reduce the number of Passwords that users have:
Naturally the more passwords users have to manage the more they will resist to strong password policies. Introduce a tool that reduces the number of passwords.
Results: decreased number of passwords = user comfort
With Single Sign-On tools like Tools4ever’s E-SSOM (Single Sign –On Manager) it is possible to reduce the number of logins and password combinations to just one, and eliminate about 3 to 5 password logon combinations per day.
3.Help users creating strong passwords through a password creation wizard.
In order for users to not get frustrated when creating their new strong password, they may need some assistance. A simple windows integrated tool can assist users while creating their password, showing the complexity rules and flagging each requirement as it is fulfilled.
Results: Users can create strong passwords instantly without getting unclear Windows error messages.
A tool that assists users in creating strong passwords according to the company’s own rules is reset calls, 24x7 service, increased security (helpdesk identification)PCM (Password Complexity Manager). It is extremely user friendly and integrates seamlessly into the user environment.
If you have more questions on introducing complex passwords don’t hesitate to contact us.
Related to:
1.Password Self-Service:
In order to reduce the number of helpdesk calls that are password related, make users autonomous on the management and recovery of their passwords. Results: less password reset calls, 24x7 service, increased security (helpdesk identification)SSRPM (Self-Service Reset Password Manager) by Tools4ever is a good tool allowing for password resets through security questions or strong SMS authentication.
2. Reduce the number of Passwords that users have:
Naturally the more passwords users have to manage the more they will resist to strong password policies. Introduce a tool that reduces the number of passwords.
Results: decreased number of passwords = user comfort
With Single Sign-On tools like Tools4ever’s E-SSOM (Single Sign –On Manager) it is possible to reduce the number of logins and password combinations to just one, and eliminate about 3 to 5 password logon combinations per day.
3.Help users creating strong passwords through a password creation wizard.
In order for users to not get frustrated when creating their new strong password, they may need some assistance. A simple windows integrated tool can assist users while creating their password, showing the complexity rules and flagging each requirement as it is fulfilled.
Results: Users can create strong passwords instantly without getting unclear Windows error messages.
A tool that assists users in creating strong passwords according to the company’s own rules is reset calls, 24x7 service, increased security (helpdesk identification)PCM (Password Complexity Manager). It is extremely user friendly and integrates seamlessly into the user environment.
If you have more questions on introducing complex passwords don’t hesitate to contact us.
Related to:
- Strong passwords
- Active directory password
- Password reset
- Password self-service
- Complex passwords
- Single sign on
- Password synchronization
Friday, March 9, 2012
ACCESS MANAGEMENT AND SOX COMPLIANCY/AUDIT
When talking with IT management on Identity and Access Management issues, we regularly meet companies that have to be compliant with SOX regulations. This usually has a big impact on the organization of processes, but also on the IT department, especially concerning the management of access rights. Three of the most common issues are:
Workflow and validations on access rights:
Whether it concerns a regular active directory user accounts, NTFS rights, active directory groups, e-mail or application authorizations, all the requests and validations have to comply with the SOX regulations which may mean that in order to create one user account the IT department needs the signature of the requester, the validating manager and the IT director.
We have seen companies where this process was entirely managed by paper driven processes, and each time at a SOX audit, the IT department would spend weeks of digging through the papers with the auditor. An automated workflow system such as UMRA (User Management Resource Administrator), can automate the
se validation steps and make the SOX audit a piece of cake for the IT department.
Instead of papers getting lost in the process and having people waiting for their access rights UMRA will automatically alert the right validators who with a simple action can validate a request before it is sent automatically to the next validator or IT for granting.
Traceability:
Naturally all requests for access and granting of access should be traceable in the identity and access management solution. This is a standard feature of the Tools4ever Identity and Access Management suite.
Segregation of Duty:
This aspect of SOX compliancy requires that certain tasks cannot be performed by one and the same person. For example an order may be placed by person X but this should be validated by person Y. This can have consequences for access management, in the sense that it requires the access to certain data, or the access rights within an application must be tightly controlled.
In terms of access management and authorization management this means that the access management system must block or alert whenever two of such authorizations are being granted to one and the same user. This is easy to realize with the reporting and provisioning mechanisms in the Tools4ever identity and access management solutions. We only have to know which of the authorizations cannot be combined and then the solution will manage and audit the requirement automatically.
Feel free to contact your Tools4ever. office if you have any questions about SOX compliancy, and Access Management workflows.
Workflow and validations on access rights:
Whether it concerns a regular active directory user accounts, NTFS rights, active directory groups, e-mail or application authorizations, all the requests and validations have to comply with the SOX regulations which may mean that in order to create one user account the IT department needs the signature of the requester, the validating manager and the IT director.
We have seen companies where this process was entirely managed by paper driven processes, and each time at a SOX audit, the IT department would spend weeks of digging through the papers with the auditor. An automated workflow system such as UMRA (User Management Resource Administrator), can automate the
se validation steps and make the SOX audit a piece of cake for the IT department.
Instead of papers getting lost in the process and having people waiting for their access rights UMRA will automatically alert the right validators who with a simple action can validate a request before it is sent automatically to the next validator or IT for granting.
Traceability:
Naturally all requests for access and granting of access should be traceable in the identity and access management solution. This is a standard feature of the Tools4ever Identity and Access Management suite.
Segregation of Duty:
This aspect of SOX compliancy requires that certain tasks cannot be performed by one and the same person. For example an order may be placed by person X but this should be validated by person Y. This can have consequences for access management, in the sense that it requires the access to certain data, or the access rights within an application must be tightly controlled.
In terms of access management and authorization management this means that the access management system must block or alert whenever two of such authorizations are being granted to one and the same user. This is easy to realize with the reporting and provisioning mechanisms in the Tools4ever identity and access management solutions. We only have to know which of the authorizations cannot be combined and then the solution will manage and audit the requirement automatically.
Feel free to contact your Tools4ever. office if you have any questions about SOX compliancy, and Access Management workflows.
Subscribe to:
Posts (Atom)