Much Ado About Entitlements

The popularity of entitlements, both as a noun and as a thing, is rapidly growing in the IDM world. Before entitlements became an oratorio impossible to ignore even with the best Jedi mind tricks, there was a flutter of butterfly wings. That is, 2-3 people in a hallway at a conference started whispering entitlements, entitlements, entitlements . Then came presentations, then whitepapers from analysts and vendors and finally the Market noticed that, wait, what about entitlements? The chaos theory refers to the initial whisper event as a butterfly effect, there's no other explanation for their sudden rise to fame. I mean, (more...)

Super Agent 2.0

It has been years, literally, since I have heard anyone talk about agent vs agentless. Both sides have spoken, and I believe the resolution has been passed: Agentless (by that I mean nothing installed remotely from the server) whereever possible, then use agents. And in today's climate of open standards and secure communications, it seemed like "whereever possible" was everywhere. Thus, the debate died and it became an afterthought.

Then comes Microsoft Exchange 2008.From a remote java perspective, Microsoft Exchange was all figured out.Java applications utilized JNDI to communicate with the MS Active Directory Domain Server to set (more...)

Silence is Golden

Even with more daylight, I struggle with finding enough time to juggle family, work, and blog (not necessarily in that order, but pretty close most days). As a result of increased activity, I have been silent on the blogging front. This is not to say that I have not been thinking about all the interesting things to write about. With the workload increasing, the number of topics that I would like to discuss in an online forum also grows. Unfortunately entropy is hard to beat and without a perpetuum mobile as a source of energy, I have to find that (more...)

Rock around the clock

As the summer descends upon us, so have various industry conferences. With that raison d'etre, a rising tide of interesting discussions is sweeping across blogs and other assorted outlets of identity and access management sound and fury. Mark Diodati from the Burton Group weighed in on the ontological issue of privileged accounts and people who (ab)use them. The linguistic conundrum seems to be in differentiating Privileged Accounts from Privileged Users. The secret sauce of securing privileged accounts according to Burton is based on managing two ingredients: WHO has access to the accounts and WHAT the accounts can do.

In my (more...)

Ask Identigral (Issue 6)

Ask Identigral is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the rest of Identigral staff have decided to step in and close the gap. Email us your questions about any Oracle identity or access management product(s) and once a week we will post the answers here.

What is the best way to customize Oracle Identity Manager user interface?

When customizing any (more...)

Overcast weather

Toto, we aren't in Kansas anymore. I believe we have landed in Seattle where cloud cover is the norm.

At JavaOne they have a whole set of sessions dedicated to the Cloud. Soon, the Cloud (with a capital C, mind you) will be as pervasive as the web. (Wait, isn't it the same thing?!). I was fortunate enough to attend the standing-room only panel on Secure Cloud Computing this afternoon. The panel consisted of Michelle Dennedy from Sun, Joshua Davis from Qualcomm, Jim Reavis from Cloud Security Alliance, Tim Mathers (old timey (experience, not age) InfoSec guy), (more...)

Implementing Seek and Destroy (part 2)

In the previous blog post, I have described some of the best practices that are worthy of consideration when designing robust off-boarding processes. In part 1, I talked about how to implement some of these best practices using Oracle Identity Manager. This post is a continuation of the implementation discussion.

Trust but Verify. You need a system of checks and balances, at worst a single control where an alarm will go off somewhere if the terminated employee hasn't been off-boarded. In Oracle Identity Manager (OIM) this is best accomplished via attestation. Attestation tasks could be automatically generated for both (more...)

Ask Identigral (issue 5)

Ask Identigral is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the rest of Identigral staff have decided to step in and close the gap. Email us your questions about any Oracle identity or access management product(s) and once a week we will post the answers here

We have applied the latest patch to our Oracle Identity Manager installation. Does that mean (more...)

Spring Cleaning

Each spring an annual rite beckons me. Software engineers might call it refactoring, artists prefer the term deconstruction and tres chic museum curators use denouement. The rest of the world calls it cleaning up your mess. Cobwebs are removed, dust is annihilated, furniture is rearranged, (ab)used items are donated or discarded. This is more out of habit (as rites wont to occur), the local microclimate doesn't really require winter clothes to be put away and summer clothes to be readily available. If you go through all this trouble of taking things apart and putting them back together, you (more...)

Implementing Seek and Destroy (part 1)

In the previous blog post, I have described some of the best practices that are worthy of consideration when designing robust off-boarding processes. Here I will go over possible implementation strategies for the first two bullets using Oracle Identity Manager (OIM) as a an automation platform. I'll cover the other two bullets in my next post.

1. Be Fast. In terms of timing, off-boarding should be executed as close as possible to employee walking out the door. What this means is that OIM needs to know about the termination event before it actually happens. One way to accomplish this (more...)

Seek and destroy

In recent local news that became national news, Abdirahman Ismail Abdi, a former employee of California Water Services Company ("Cal Water"), a local water utility company, attempted to steal $9 million from the company by wiring the money to a bank in Qatar. Fun facts:

  • According to Cal Water's website, they're the largest investor-owned American water utility west of the Mississippi River and the third largest in US. Their parent company, California Water Services Group is a public company traded on NYSE with 2 million customers.
  • The attacker allegedly gained access to computers belonging to two senior executives in two (more...)

Ask Identigral (Issue 4)

Ask Identigral is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the rest of Identigral staff have decided to step in and close the gap. Email us your questions about any Oracle identity or access management product(s) and once a week we will post the answers here

We have a field on our Oracle Identity Manager user profile (Xellerate User object) that (more...)

Better Living Through Chemistry

I have always loved the subject of physics, but I am definitely a macro-gal instead of a quantum one. A Newton over Hamilton kind of thing. As a result, chemistry was one of my least favorite subjects in school. Having said this, I recently found that chemistry might actually be helpful in explaining the complexities surrounding the movement of an employee throughout an organization

We start by modeling the organization as a closed system with many molecules, like the Finance molecule, the HR molecule, the IT molecule and so on. Since molecules are made up of atoms, within each departmental (more...)

Give me federation or give me death

Once again, several threads coalesced and lead to this blog. The chief impetus was a question asked on LinkedIn about federated identity management. Since the term federated identity management is somewhat of a misnomer (and a broadside), we'll use an even less accurate but slightly more legitimate federation. To wit, the person asking the question was wondering if federation is "critical" and why organizations are slow to adopt federation for "cross-organizational access"

My response to the question was that federation is not critical and the reasons for slow adoption are mostly standard. It's a fairly new technology with a (more...)

Use It or Lose It

This blog post is a continuation of Waiting at a Station where I talked about attestation and possible strategies of reducing its scope. The strategy I am proposing is to segment user accounts into active and dormant where the definition of dormant is set by audit guidelines or IT policy; dormant accounts can then be excluded from attestation. At its simplest (and for the sake of this example), we can define dormant as any account that has not been used since the last attestation. If we assume that attestation is done once a quarter, our definition becomes "any account that (more...)

Ask Identigral (Issue 3)

Ask Identigral is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the rest of Identigral staff have decided to step in and close the gap. Email us your questions about any Oracle identity or access management product(s) and once a week we will post the answers here.

We want to use Oracle Identity Manager (OIM) to manage Active Directory (AD) passwords. However, (more...)

Ask Identigral (Issue 3)

Ask Identigral is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the (more...)

Waiting at a Station

In a blog post a few days ago, I wrote about the parallels between Security Information and Event Management (SIEM) and Identity Administration solutions. In both cases, when an event comes in from an external system, there are rules that evaluate the event. If the event is deemed to imply a threat (in SIEM case) or a compliance issue such as a rogue account that could lead to a threat (in Identity Administration case), I wondered about possible actions that could be taken without involving a human. In this blog I'd like to examine a related premise and do it (more...)

Waiting at a Station

In a blog post a few days ago, I wrote about the parallels between Security Information and Event Management (SIEM) and Identity Administration solutions. In both cases, when an event comes in from an external system, there are rules that evaluate the event. If the event is deemed to imply (more...)

The KOL Miner’s Daughter

Just when you've escaped from your past, it comes back to haunt you, something about learning from history and being doomed to repeat it. I had every intention of doing a blog post about identity management challenges associated with implementing business processes having to do with internal (employee) transfers but when worlds collide, singularity happens. Prodded by the announcement of an improved Twitter search, Oracle's Nishant Kaushik writes about the new "identity equation" This comes only two days after a blog on the very same subject by a former colleague of mine, Endeca's chief scientist Daniel Tunkelang. Two blogs, two (more...)