Like large organizations, small businesses also often have several identity and access management issues, such as ensuring security of systems and applications along with handling password issues. Unlike large organizations, they often do not have the staff and resources to easily handle these tasks, so the tasks either go incomplete or require more time and money than necessary. There are several solutions for small businesses though that easily mitigate these problems and save time and money in the long run.
Ensure Security of Systems and Applications
Employees often have many sets of credentials to login to their applications and perform their jobs. To remember multiple sets of credentials, employees often write down their user names and passwords and store them somewhere by their desks. This puts the organization’s applications at risk and reduces the security.
An easy way for small business to reduce the headache of multiple passwords for their employees, as well as ensure the security of their systems, is with a single sign-on (SSO) application. With an SSO solution, employees only have to remember one set of credentials. Once they enter their single user name and password they will thereafter be automatically signed into all applications and systems once they are opened. This ensures that employees will not use non-secure methods to remember their passwords.
A single sign-on solution also can incorporate two-factor authentication for an additional layer of security to systems and applications used by small businesses.
Two-factor authentication is used by requiring users to present a smart card, as well as a PIN code. This adds additional security to the login process. Two-factor authentication also can be customized to the needs of the organization, such as requiring the computer to remember the PIN for a defined period of time or automatically closing all sessions on the computer after the smart card is removed. Each of these customizations adds additional security to the systems, as well as improving efficiency for the user.
Easily Reduce Password Issues
Integrating simple sign on protocols in your business can cut down on security breaches and streamline employee access.
When an employee forgets a password, or is locked out of an application, they needs to go through the time-consuming process of resetting passwords. In a small business, access to a 24×7 help desk may not be possible. If there is a help desk or IT department available at all times, it may have a small staff and focusing on password resets can take away from their time of focusing on other more important issues.
A self-service reset password solution allows end users to easily and securely reset their passwords themselves. They simply register by providing answers to personal questions, much like a banking website. Then, when they need to reset their password, they simply click the “forgot my password” button, provide the correct answers and are able to reset their password without having to contact anyone else at the company.
This reduces the annoyance of password resets for both the IT department and the end user and allows them to both be productive working on more important tasks.
In conclusion, small businesses have many of the same issues that larger organizations deal with. By implementing one or all of the solutions discussed here they are able to reduce the amount of time the IT staff spends dealing with these issues, and not need to have an employee working full time to handle them.
For additional information, please visit our website.
Friday, June 28, 2013
Friday, June 21, 2013
Accessing Cloud Applications - A Challenge for the IT department
For an IT department, working with cloud applications and their providers can present a number of new challenges. Where the IT department previously took a facilitating role that is now transitioning to a coordinating role. In addition, it can be significantly more difficult to control user and access privileges in cloud applications. The control over user accounts and roles — who has access to which cloud applications and data — is more complex than with applications that reside within the network. Below are some of the causes:
1. Large amount of information
The flow of information within the business environment is exponentially larger, and with greater frequency, than a few years ago. Organizations have to deal with a large number of users (employees, partners and even clients in some situations) and also many changes; for example, an employee leaves the organization. Previously, it was possible to perform necessary account management process during a pre-established and given time, like monthly or quarterly. Today, this is no longer feasible and the data must be refreshed weekly or even daily. Also a factor, custom scripts often do not work with cloud applications.
2. Different structure
It is a major challenge for the IT department to manage all identities, roles and the data that exists in the various cloud solutions. Many solutions use proprietary authorization and authentication structures. It is common that the same data is required in different systems, but the varying structures make it very difficult to manage in a centralized fashion.
3. Multiple authentication sources
Active Directory, or other directory service, such as Novell eDirectory or Apple Open Directory, is normally the central authorization point for users and most likely controls access to other internal applications and systems. Cloud applications are typically not Active Directory integrated and the result is the need for multiple authentication sources; a directory service for internal applications and typically one authentication source per application in the cloud.
Working with multiple authentication sources of this type is complex because there are only limited options to synchronize user accounts between the sources — also known as federation support — such as Microsoft ADFS and the SAML standard.
4. More manual actions
Vendors that do not offer federation support — for example, several vendors of electronic portals and HR systems — offer a Web browser that administrators can use to directly manage the cloud application management. This requires personnel to manually manage the creation of accounts for new employees and partners, and disabling accounts for employees and partners who are no longer part of the organization.
Although typically very well organized, the web portals require a large number of manual operations. This is time consuming and subject to errors. Some applications will allow a bulk upload via a .CSV file but this still requires manual intervention to create the file, upload and verify which can produce a lot of work. In some cases, vendors have developed a link to user accounts to fully automate the process. This is also known as provisioning. The link retrieves information from the portal where the information is contained, and processes it to the electronic learning environment.
5. Password and naming conventions
Another issue that often arises is the standards for naming conventions and passwords. What works or is required in one system, may not work in another. For example, a user ID in the network may be based on the login name and in the cloud application may require the e-mail address. This makes the exchange of user account data between both environments very complex. This same issue can arise with password conventions. Complex passwords are usually required within the network, for example, the requirements of a combination of characters and numbers, however, you may not be able to utilize this convention within the cloud applications. Another factor to consider is the password expiration cycle — one system may be on a 90-day cycle while another might require a change every 30 days. Synchronizing passwords between the network and cloud applications can be tricky and proper planning is required prior to implementation.
6. What if the connection drops?
Vendors that provide links between the network and cloud applications often utilize event-driven synchronization between systems (i.e. when a change occurs, it is propagated immediately between the network and the cloud). However, they may not have a procedure for handling a temporarily dropped connection. Suppose a bulk upload to create a new employee accounts occurs but in the middle of the transfer, the connection with the cloud application drops. The result can be a tremendous amount of manual work to see which records have or have not been created. Cloud applications may not provide a notification that synchronization was successful.
7. Bulk actions
Processing bulk actions in the cloud is sometimes restricted or denied by the application. For example, imagine you need to create user accounts for several thousand employees, partners or clients students in a hosted e-mail system at the beginning of the school year. There are cloud applications that restrict the number of actions that can be implemented at one time or even require that administrative work be done after work hours to avoid overload on the network. While not all cloud application vendors are restrictive in this fashion, several are and this can impose extra work on the IT department.
8. Connecting import scripts
Frequently, various systems within a single network require the same information. The IT department wants to avoid duplicate manual input of information whenever feasible as it is inefficient and can lead to errors. In many cases scripts are created to load the data from an authoritative system to all dependent applications. Usually, a script will be required for each dependent system as the data elements and requirements will be unique. With the advent of cloud applications, this is more difficult to achieve as these solutions do not always provide a methodology to utilize traditional scripts.
Every organization has to deal with tight budgets, strict federal or local regulations and all are under great pressure to constantly seek ways to work more efficiently. Working with cloud applications can, in many cases, mean that the user and access control is not optimal or effective and requires more attention. Suppliers of cloud solutions give little priority to the development of better management of user accounts and access rights in their applications. They are obviously working with the development of new features and business-oriented functionality.
For more information, please visit our website.
1. Large amount of information
The flow of information within the business environment is exponentially larger, and with greater frequency, than a few years ago. Organizations have to deal with a large number of users (employees, partners and even clients in some situations) and also many changes; for example, an employee leaves the organization. Previously, it was possible to perform necessary account management process during a pre-established and given time, like monthly or quarterly. Today, this is no longer feasible and the data must be refreshed weekly or even daily. Also a factor, custom scripts often do not work with cloud applications.
2. Different structure
It is a major challenge for the IT department to manage all identities, roles and the data that exists in the various cloud solutions. Many solutions use proprietary authorization and authentication structures. It is common that the same data is required in different systems, but the varying structures make it very difficult to manage in a centralized fashion.
3. Multiple authentication sources
Active Directory, or other directory service, such as Novell eDirectory or Apple Open Directory, is normally the central authorization point for users and most likely controls access to other internal applications and systems. Cloud applications are typically not Active Directory integrated and the result is the need for multiple authentication sources; a directory service for internal applications and typically one authentication source per application in the cloud.
Working with multiple authentication sources of this type is complex because there are only limited options to synchronize user accounts between the sources — also known as federation support — such as Microsoft ADFS and the SAML standard.
4. More manual actions
Vendors that do not offer federation support — for example, several vendors of electronic portals and HR systems — offer a Web browser that administrators can use to directly manage the cloud application management. This requires personnel to manually manage the creation of accounts for new employees and partners, and disabling accounts for employees and partners who are no longer part of the organization.
Although typically very well organized, the web portals require a large number of manual operations. This is time consuming and subject to errors. Some applications will allow a bulk upload via a .CSV file but this still requires manual intervention to create the file, upload and verify which can produce a lot of work. In some cases, vendors have developed a link to user accounts to fully automate the process. This is also known as provisioning. The link retrieves information from the portal where the information is contained, and processes it to the electronic learning environment.
5. Password and naming conventions
Another issue that often arises is the standards for naming conventions and passwords. What works or is required in one system, may not work in another. For example, a user ID in the network may be based on the login name and in the cloud application may require the e-mail address. This makes the exchange of user account data between both environments very complex. This same issue can arise with password conventions. Complex passwords are usually required within the network, for example, the requirements of a combination of characters and numbers, however, you may not be able to utilize this convention within the cloud applications. Another factor to consider is the password expiration cycle — one system may be on a 90-day cycle while another might require a change every 30 days. Synchronizing passwords between the network and cloud applications can be tricky and proper planning is required prior to implementation.
6. What if the connection drops?
Vendors that provide links between the network and cloud applications often utilize event-driven synchronization between systems (i.e. when a change occurs, it is propagated immediately between the network and the cloud). However, they may not have a procedure for handling a temporarily dropped connection. Suppose a bulk upload to create a new employee accounts occurs but in the middle of the transfer, the connection with the cloud application drops. The result can be a tremendous amount of manual work to see which records have or have not been created. Cloud applications may not provide a notification that synchronization was successful.
7. Bulk actions
Processing bulk actions in the cloud is sometimes restricted or denied by the application. For example, imagine you need to create user accounts for several thousand employees, partners or clients students in a hosted e-mail system at the beginning of the school year. There are cloud applications that restrict the number of actions that can be implemented at one time or even require that administrative work be done after work hours to avoid overload on the network. While not all cloud application vendors are restrictive in this fashion, several are and this can impose extra work on the IT department.
8. Connecting import scripts
Frequently, various systems within a single network require the same information. The IT department wants to avoid duplicate manual input of information whenever feasible as it is inefficient and can lead to errors. In many cases scripts are created to load the data from an authoritative system to all dependent applications. Usually, a script will be required for each dependent system as the data elements and requirements will be unique. With the advent of cloud applications, this is more difficult to achieve as these solutions do not always provide a methodology to utilize traditional scripts.
Every organization has to deal with tight budgets, strict federal or local regulations and all are under great pressure to constantly seek ways to work more efficiently. Working with cloud applications can, in many cases, mean that the user and access control is not optimal or effective and requires more attention. Suppliers of cloud solutions give little priority to the development of better management of user accounts and access rights in their applications. They are obviously working with the development of new features and business-oriented functionality.
For more information, please visit our website.
Friday, June 14, 2013
4 Time-Saving Healthcare IT Industry Trends
As the U.S. economy slowly improves, healthcare facility IT budgets are likely to remain flat, or see only modest increases, in 2013. This means that IT departments will continue to look for ways to make their organizations and infrastructures run more efficiently.
Below are four areas that will be of particular interest to the technology departments in the healthcare industry. Self-service applications for end users' healthcare facilities will likely be looking for time-saving ways to eliminate end-user calls to the IT help desk, so we’ll likely see an uptick in self-service applications for IT end users.
No. 1: Self-Service Applications for End Users
Self-service reset password applications have been around for several years now and continue to prove their value. End users enroll via a series of challenge questions and, should they forget their password, are able to reset directly from the network login screen or website. This eliminates a call to the help desk, and allows the employee to become productive immediately instead of waiting on the help desk phone queue.
No. 2: Cloud Applications in the Healthcare Industry
As solutions like Gmail and Office 365 continue to gain traction in healthcare, the ability to provision and deprovision accounts in a timely fashion becomes critical to controlling costs. While many health systems have implemented identity management solutions for Active Directory (AD), implementing a seamless process to these cloud applications can be a challenge.
Though both Google and Microsoft offer tools to synchronize AD with their respective products, they reportedly fall short in many areas and can make account management a tedious chore. Many vendors now offer advanced tools that allow for easy synchronization and management of accounts in these, and many other, healthcare cloud applications.
No. 3: Use of Single Sign-On
In hospitals and healthcare settings, both authorized and unauthorized people often use the workstation computers, meaning that those unauthorized people can view restricted information if accounts are not securely managed. Yet, clinicians frequently share a common username and password with peers to avoid wasting time switching between user profiles.
By reducing the amount of time required to log in, clinicians can easily and securely access patient information as they quickly move from room to room. It is even possible to integrate “Follow Me,” which allows users who have opened applications on Citrix and/or Terminal Server to continue their work on another computer. Overall, clinicians will be able to focus less on signing in and more on caring for patients.
No. 4: Security and Audit of the Healthcare Industry
As in past years, ensuring security of the network and providing accurate reporting to auditors will have a large impact on the IT department, both in time and money. The IT department needs to provide employees with the correct access rights required to applications and network functional areas, while also ensuring unnecessary access is never granted.
The application also creates the appropriate Exchange mailbox and creates a home folder for the employee on the appropriate share drive. By ensuring the proper access rights, it makes the audit process that much easier and ensures compliance at all times.
For more information, please visit our website.
Below are four areas that will be of particular interest to the technology departments in the healthcare industry. Self-service applications for end users' healthcare facilities will likely be looking for time-saving ways to eliminate end-user calls to the IT help desk, so we’ll likely see an uptick in self-service applications for IT end users.
No. 1: Self-Service Applications for End Users
Self-service reset password applications have been around for several years now and continue to prove their value. End users enroll via a series of challenge questions and, should they forget their password, are able to reset directly from the network login screen or website. This eliminates a call to the help desk, and allows the employee to become productive immediately instead of waiting on the help desk phone queue.
No. 2: Cloud Applications in the Healthcare Industry
As solutions like Gmail and Office 365 continue to gain traction in healthcare, the ability to provision and deprovision accounts in a timely fashion becomes critical to controlling costs. While many health systems have implemented identity management solutions for Active Directory (AD), implementing a seamless process to these cloud applications can be a challenge.
Though both Google and Microsoft offer tools to synchronize AD with their respective products, they reportedly fall short in many areas and can make account management a tedious chore. Many vendors now offer advanced tools that allow for easy synchronization and management of accounts in these, and many other, healthcare cloud applications.
No. 3: Use of Single Sign-On
In hospitals and healthcare settings, both authorized and unauthorized people often use the workstation computers, meaning that those unauthorized people can view restricted information if accounts are not securely managed. Yet, clinicians frequently share a common username and password with peers to avoid wasting time switching between user profiles.
By reducing the amount of time required to log in, clinicians can easily and securely access patient information as they quickly move from room to room. It is even possible to integrate “Follow Me,” which allows users who have opened applications on Citrix and/or Terminal Server to continue their work on another computer. Overall, clinicians will be able to focus less on signing in and more on caring for patients.
No. 4: Security and Audit of the Healthcare Industry
As in past years, ensuring security of the network and providing accurate reporting to auditors will have a large impact on the IT department, both in time and money. The IT department needs to provide employees with the correct access rights required to applications and network functional areas, while also ensuring unnecessary access is never granted.
The application also creates the appropriate Exchange mailbox and creates a home folder for the employee on the appropriate share drive. By ensuring the proper access rights, it makes the audit process that much easier and ensures compliance at all times.
For more information, please visit our website.
Tale of Two Cities
Identity/password management has been a growing trend in the areas of healthcare, education and business. Lately, government agencies at the local, state and federal levels have also been taking a look.
Out of Control Passwords
St. Petersburg, Fla., currently has about 3,600 full- and part-time employees. It was having immense issues with employee password reset requests. On a daily basis, the IT help desk received 10 or more requests to reset passwords to the Active Directory (AD) network and various other applications.
Departmental leaders decided on a two-phase approach to tackle the issue. They first looked for a solution to allow end users the ability to reset their own passwords to the AD network then implemented a self-service reset password tool. The first aspect of the implementation required end users to select a series of challenge questions and provide answers to those questions. After enrollment, end users could simply click a "Forgot My Password" link on the login screen, provide the answers and reset their password accordingly.
The second phase of the password project was to reduce the number of passwords required to access internal systems. As it stood, the average employee needed to remember eight user name/password combinations while some employees had upwards of 20. Again, the city's leaders looked to commercially available single sign-on solutions and settled on the same vendor that provided the self-service application.
The overall result for both phases of the projects was a reduction in the amount of time IT staff spends resetting passwords to nearly zero.
New HR application and new Directory Service
Tampa, Fla., faced several daunting tasks. The roll out of a new HR/financial system required that each employee had an AD account to access the application. This situation was further exacerbated because the city was running Novel eDirectory and GroupWise for email.
After purchasing a commercially available product, the basic implementation was completed in a few days. This was accomplished by taking an extract from the outgoing HR system and using the current employee list as the basis. After the HR/financial system implementation was completed, the IT group circled back to the identity management provider to put additional components in place.
First was an automated process to create and disable users. Every time a new hire is entered into the HR system, the AD account and Exchange mailbox are created without manual intervention.
Conversely, whenever an employee is indicated as terminated in the HR solution, the account is automatically disabled.
The second phase of the project was to implement a Web portal for allowing employees to request access to different security and distribution groups along with a variety of applications or specific roles within an application. An end user can login to the portal with their network credentials and be presented with a variety of options to request additional access. Once completed the request is routed to the employee's manager for approval and then to the IT department for final approval.
In summary, both municipalities were able to utilize identity and password management solutions to allow their IT employees and end users work more efficiently overall.
For more information, please visit our website.
Out of Control Passwords
St. Petersburg, Fla., currently has about 3,600 full- and part-time employees. It was having immense issues with employee password reset requests. On a daily basis, the IT help desk received 10 or more requests to reset passwords to the Active Directory (AD) network and various other applications.
Departmental leaders decided on a two-phase approach to tackle the issue. They first looked for a solution to allow end users the ability to reset their own passwords to the AD network then implemented a self-service reset password tool. The first aspect of the implementation required end users to select a series of challenge questions and provide answers to those questions. After enrollment, end users could simply click a "Forgot My Password" link on the login screen, provide the answers and reset their password accordingly.
The second phase of the password project was to reduce the number of passwords required to access internal systems. As it stood, the average employee needed to remember eight user name/password combinations while some employees had upwards of 20. Again, the city's leaders looked to commercially available single sign-on solutions and settled on the same vendor that provided the self-service application.
The overall result for both phases of the projects was a reduction in the amount of time IT staff spends resetting passwords to nearly zero.
New HR application and new Directory Service
Tampa, Fla., faced several daunting tasks. The roll out of a new HR/financial system required that each employee had an AD account to access the application. This situation was further exacerbated because the city was running Novel eDirectory and GroupWise for email.
After purchasing a commercially available product, the basic implementation was completed in a few days. This was accomplished by taking an extract from the outgoing HR system and using the current employee list as the basis. After the HR/financial system implementation was completed, the IT group circled back to the identity management provider to put additional components in place.
First was an automated process to create and disable users. Every time a new hire is entered into the HR system, the AD account and Exchange mailbox are created without manual intervention.
Conversely, whenever an employee is indicated as terminated in the HR solution, the account is automatically disabled.
The second phase of the project was to implement a Web portal for allowing employees to request access to different security and distribution groups along with a variety of applications or specific roles within an application. An end user can login to the portal with their network credentials and be presented with a variety of options to request additional access. Once completed the request is routed to the employee's manager for approval and then to the IT department for final approval.
In summary, both municipalities were able to utilize identity and password management solutions to allow their IT employees and end users work more efficiently overall.
For more information, please visit our website.
Friday, May 24, 2013
Four Simple Solutions for Introducing Complex Passwords
You want to introduce complex passwords with a view to improving information security. But the introduction of such stronger passwords, which also have to be changed regularly, leads to resistance among end-users. After all, they have to remember of multitude of password/username combinations. This results in non-secure situations – employees write down passwords on Post-Its – and many password reset requests to the helpdesk. Here are four simple solutions with which you can indeed introduce complex passwords into your organization, but without causing frustration among users.
1. Reduce the number of passwords with Single Sign On
Reduce the number of passwords and ensure that employees only have to remember one, complex password instead of dozens. Single Sign On ( SSO) offers the ability to do this. SSO lets employees log in just once, after which access is automatically granted to all applications and systems the user might open. So the staff-member doesn’t have to log in afresh for each application. And that saves an average of three to five logins with varying passwords each day.
Perhaps you want to do away with even this remaining password? In that case SSO can be deployed in combination with an access pass. The security card your employees use to gain access to the premises or for time and attendance, then replaces the final password/username combination. By presenting a card to or into a reader and if required, entering a PIN code, the user is automatically logged in. When the employee again presents the card to a reader, he or she is then logged out.
2. Automatic password synchronization
Would it not be ideal if the same password/username combination could be used for every application? The difficulty here is that the passwords almost always have an expiry date and need to be renewed regularly. And the expiry date is not the same for every application. For some applications a new password has to be set monthly, while other software might only require it once a year. It’s virtually impossible for users to reset a newly-introduced password in all the other required applications so that the password would then indeed be identical everywhere.
However you can actually automate this very well with solutions for password synchronization, which ensure that passwords are and remain synchronous in multiple systems. The newly-set password is then immediately intercepted and forwarded to all other applications.
3. Help users to create strong passwords
Employees often find it difficult to come up with complex passwords. Some applications insist that the password must contain an uppercase letter, a punctuation mark or a figure. Or that the password must differ from the old one by X percentage.
That’s why users need some help in creating new, strong passwords. Password creation tools assist users to produce their passwords. The established complexity rules are shown when users configure a new password, and they are notified whether the relevant requirements have been met.
4. Let users reset their passwords themselves
As mentioned earlier, the introduction of complex passwords leads to an increase in the number of password reset requests to the helpdesk. To ease the burden on the helpdesk it’s possible to let users reset their passwords themselves. Users identify themselves by correctly answering a number of personal questions (e.g. ‘What’s your mother’s maiden name?’) and can then reset their own passwords, without the intervention of the helpdesk.
A combination of these solutions means time-consuming registration procedures are a thing of the past and the helpdesk is relieved of the problems. Users benefit from maximum user-friendliness, while productivity rises.
For more information, please visit our website.
1. Reduce the number of passwords with Single Sign On
Reduce the number of passwords and ensure that employees only have to remember one, complex password instead of dozens. Single Sign On ( SSO) offers the ability to do this. SSO lets employees log in just once, after which access is automatically granted to all applications and systems the user might open. So the staff-member doesn’t have to log in afresh for each application. And that saves an average of three to five logins with varying passwords each day.
Perhaps you want to do away with even this remaining password? In that case SSO can be deployed in combination with an access pass. The security card your employees use to gain access to the premises or for time and attendance, then replaces the final password/username combination. By presenting a card to or into a reader and if required, entering a PIN code, the user is automatically logged in. When the employee again presents the card to a reader, he or she is then logged out.
2. Automatic password synchronization
Would it not be ideal if the same password/username combination could be used for every application? The difficulty here is that the passwords almost always have an expiry date and need to be renewed regularly. And the expiry date is not the same for every application. For some applications a new password has to be set monthly, while other software might only require it once a year. It’s virtually impossible for users to reset a newly-introduced password in all the other required applications so that the password would then indeed be identical everywhere.
However you can actually automate this very well with solutions for password synchronization, which ensure that passwords are and remain synchronous in multiple systems. The newly-set password is then immediately intercepted and forwarded to all other applications.
3. Help users to create strong passwords
Employees often find it difficult to come up with complex passwords. Some applications insist that the password must contain an uppercase letter, a punctuation mark or a figure. Or that the password must differ from the old one by X percentage.
That’s why users need some help in creating new, strong passwords. Password creation tools assist users to produce their passwords. The established complexity rules are shown when users configure a new password, and they are notified whether the relevant requirements have been met.
4. Let users reset their passwords themselves
As mentioned earlier, the introduction of complex passwords leads to an increase in the number of password reset requests to the helpdesk. To ease the burden on the helpdesk it’s possible to let users reset their passwords themselves. Users identify themselves by correctly answering a number of personal questions (e.g. ‘What’s your mother’s maiden name?’) and can then reset their own passwords, without the intervention of the helpdesk.
A combination of these solutions means time-consuming registration procedures are a thing of the past and the helpdesk is relieved of the problems. Users benefit from maximum user-friendliness, while productivity rises.
For more information, please visit our website.
Thursday, May 16, 2013
Control Data and Applications Securely When Employees Come & Go
In today’s complex corporate and business network environments, controlling access to sensitive data is of utmost concern. The amount of security-related data stored across a network is immense for many organizations, and relating all this data to the user’s account information in Active Directory can be tricky and time consuming.
There are really three sides to proper data security. The first step is ensuring that new employee accounts are created with the proper access rights when an employee joins the organization. The second is making sure those access rights remain accurate during the employee’s tenure, and the third is revoking all access rights when the employee leaves.
Let’s take a more in-depth look at solutions for all three of these phases of data security.
Solutions
By using a role-based access control matrix in conjunction with an identity management solution, companies can ensure that accounts for new employees are always created with proper access rights.
The first step of this stage is to define the roles that employees should have in the organization. This is usually a combination of department, location and job title. While establishing the data access rights, group memberships and application requirements for each role can be time consuming, the end result will allow a template for both new employee creation and an audit point in the future.
Software applications are available that will allow the linking of a human resource system to Active Directory for automatic account creation with all proper rights. Additionally, if there are special requirements, a workflow system can easily be established to allow manager and system owners to process approvals before access is granted.
Access rights to data often tend to creep into multiple areas over an employees’ tenure with an organization. For example, rights are assigned to one employee for special projects while one employee is covering for another on leave or when an employee changes departments and responsibilities. The revocation of these special or historical rights occurs infrequently at best. Again, software solutions are available to analyze the rights of employees and make the information actionable. For the product to provide value, there are several items that should be considered as mandatory including the ability to detect:
The final step in the data security process is one that is often overlooked or not performed in a timely fashion: The termination of access rights to the network, data and all applications, including cloud-based solutions, must be accomplished immediately upon an employee’s termination.
Recently, a sales manager at a large organization that’s also a client of Tools4ever told a horror story about this very topic. A terminated sales rep had his network access revoked immediately upon departure, but the organization did not have a process in place to disable access in a timely manner to a cloud-based business intelligence application. The terminated employee realized the account was sill “live” and proceeded to download more than 10,000 records over the course of the next 30 days at a cost to the company of more than $6,000.
The point of this story: Imagine the costs if 20, 30 or 100 terminated employees did this very same thing in a short period of time.
When putting a process in place to handle terminated employees, the most common scenario is, once again, a link to the HR system. When an employee is terminated, a synchronization process needs to be in place to handle the decommissioning of accounts in all internal and external systems. If feasible, using web services or application programming interfaces (API’s) to automate the process will save time and money in the long run. Where not feasible, an email workflow process should be established whereby system owners are notified to terminate the account and positive feedback required to establish the work has been completed.
Summary
It is imperative that organizations implement the necessary security measures to insure that access to data, groups and applications are right sized for an employee during their tenure. Equally critical is the revocation of all account access when they depart. Failure to meet these criteria can lead to theft of secure data and costly access to external applications.
For more information on our Identity and Password Management solutions, please visit our website.
There are really three sides to proper data security. The first step is ensuring that new employee accounts are created with the proper access rights when an employee joins the organization. The second is making sure those access rights remain accurate during the employee’s tenure, and the third is revoking all access rights when the employee leaves.
Let’s take a more in-depth look at solutions for all three of these phases of data security.
Solutions
By using a role-based access control matrix in conjunction with an identity management solution, companies can ensure that accounts for new employees are always created with proper access rights.
The first step of this stage is to define the roles that employees should have in the organization. This is usually a combination of department, location and job title. While establishing the data access rights, group memberships and application requirements for each role can be time consuming, the end result will allow a template for both new employee creation and an audit point in the future.
Software applications are available that will allow the linking of a human resource system to Active Directory for automatic account creation with all proper rights. Additionally, if there are special requirements, a workflow system can easily be established to allow manager and system owners to process approvals before access is granted.
Access rights to data often tend to creep into multiple areas over an employees’ tenure with an organization. For example, rights are assigned to one employee for special projects while one employee is covering for another on leave or when an employee changes departments and responsibilities. The revocation of these special or historical rights occurs infrequently at best. Again, software solutions are available to analyze the rights of employees and make the information actionable. For the product to provide value, there are several items that should be considered as mandatory including the ability to detect:
- Direct access to a file/directory rather than access through a group membership;
- Access to a file/directory through multiple or nested group memberships;
- Groups and user accounts that are no longer present in Active Directory;
- Duplicate access privileges to a file/folder of a user or user group;
- Access to files/directories through a local or file system user account.
The final step in the data security process is one that is often overlooked or not performed in a timely fashion: The termination of access rights to the network, data and all applications, including cloud-based solutions, must be accomplished immediately upon an employee’s termination.
Recently, a sales manager at a large organization that’s also a client of Tools4ever told a horror story about this very topic. A terminated sales rep had his network access revoked immediately upon departure, but the organization did not have a process in place to disable access in a timely manner to a cloud-based business intelligence application. The terminated employee realized the account was sill “live” and proceeded to download more than 10,000 records over the course of the next 30 days at a cost to the company of more than $6,000.
The point of this story: Imagine the costs if 20, 30 or 100 terminated employees did this very same thing in a short period of time.
When putting a process in place to handle terminated employees, the most common scenario is, once again, a link to the HR system. When an employee is terminated, a synchronization process needs to be in place to handle the decommissioning of accounts in all internal and external systems. If feasible, using web services or application programming interfaces (API’s) to automate the process will save time and money in the long run. Where not feasible, an email workflow process should be established whereby system owners are notified to terminate the account and positive feedback required to establish the work has been completed.
Summary
It is imperative that organizations implement the necessary security measures to insure that access to data, groups and applications are right sized for an employee during their tenure. Equally critical is the revocation of all account access when they depart. Failure to meet these criteria can lead to theft of secure data and costly access to external applications.
For more information on our Identity and Password Management solutions, please visit our website.
Friday, May 10, 2013
From RBAC to CBAC: Claim Based Access Control
Many organizations that are in the process of defining the various different organizational roles for the purpose of Role Based Access Control (RBAC) will realize that this is a major or even unachievable undertaking. After all, mapping out all the roles for each department and job title is a time-consuming job. A consultant will have to check with every department to create an inventory of user privileges, formalize it and gain approval. Also, a high level of detail is to be avoided, as this would make it necessary to define as many roles as there are employees, which would undermine the value of automation.
To solve problems like these, Tools4ever has developed an Identity and Access Management solution that combines RBAC with Claim Based Access Control (CBAC). CBAC involves the assignment of access rights to applications and other services based on a so-called claim (proof of authenticity) through which a third party vouches for the authenticity of the person who is requesting access rights or a particular service.
In actual practice, this means that difficult scenarios, exceptions and doubts in the area of authorizations are handled by members in the organization rather than automatically assigned/revoked. To this end, Tools4ever offers a self-service portal which requests for access privileges can be delegated to the relevant manager or employee. Following their approval, the changes will be implemented across the network.
CBAC allows organizations to quickly and intelligently gain control over user access to network resources. All the decisions regarding the assignment of access rights are directly made by the responsible staff members.
For more information on Identity Management solutions, and other Tools4ever products, please visit our website.
Subscribe to:
Posts (Atom)