Tuesday, February 20, 2007

DuPont Data Theft

I always say if you can't trust your IT staff then you've got a problem. Then again, it's not about trusting the people, it's more about trusting that the controls in place are enough to keep the honest people honest. Just like the locks on your doors. If someone really wants to break in badly enough then they will likely find a way, but if you leave the doors unlocked then maybe even an honest person will be tempted.

The DuPont thing {Link} is so sleazy a company really would have to be desperate to hire someone that stole so much data from his prior employer. I'm not saying that this guy Min's new employer new what he had done, but it's pretty strange that 4 months after signing on with the new employer he's still working for the competition. This is why Identity and Access management is so important. Only give people just enough access to applications they need to do their jobs and nothing more. But beyond Identity and Access Management, monitoring is critical for detecting such anomalies as mentioned in the DuPont story.

Crossed over to the other side...

So last week I was an IBM customer. This week I am an IBM Business Partner. Or another way of putting it I was a customer, now I'm a consultant. New role, new hat, new perspective on many things.

Day1:
My first day on the new job was your usual orientation type of thing. How to access the various HR and house keeping applications. How time is managed, who the important people are when you need help, etc.... It was a very productive day. One of the highlights was a fabulous Chinese restaurant P.F. Chang's China Bistro. Now usually I would prefer a local restaurant to a chain, but this was outstanding. Chang's Spicy Chicken was sooo good. Just melted in your mouth. They have these lettuce wraps with I think chicken or pork and you literally place the mixture in these little lettuce "cups" and wrap it up like a tortilla. Then we had the Pin Rice Noodle Soup which was awesome. It had a good kick to it, but not too much. The best part of P.F. Chang's is that you leave feeling satisfied, but not sick like I often do after eating from a typical fast food Chinese restaurant. I wish we had a P.F. Changs here in the Buffalo area. This is well worth it if you ever find one near by.

Day2:
Right into the fire, my second day was at a customer site. This is where I will likely be for quite a while aside from a bunch of scheduled training I have between now and July 1. So I hooked up with most of the project team from my company and partner companies along with some folks employed by the customer. Quite a team of people here. So far we are well into architecture with a Tivoli architect (ITIM) guy, a TAM guy (IBM), some project managers (our side, customer side) and an army of various technical and managerial folks. I'm shadowing for now to build on the experience and knowledge I already have and hopefully I'll be contributing during the implementation phase.

So off I go learning as much as I can about the needs of my new customer and how we will solve those needs with Tivoli software.

Thursday, February 15, 2007

Career move just a few days away...

Changing jobs is no small feat when you are leaving on good terms. My last day is tomorrow 2/16/07 and I've spent the last 2 weeks wrapping up the architecture phase of the Identity Management project here, trying to transfer knowledge, files, company owned gadgets, etc... to the people that need them. This is certainly a big job when you have accumulated 10 years of data and what not. Just updating everyone I know with my new contact information is a big job. I think I've worked 8:00am until Midnight for the last 2 weeks straight. I did take some time off this past Saturday to take the kids sledding though.

Some time ago I committed myself (no, not to an asylum) to Identity and Access Management. I took this plunge about 1.5 years ago when our organization wanted to build an enterprise LDAP which included the aggregation of identities from over 100 customer organizations each with slightly different technologies and standards for maintaining their user accounts. This was a big jump for me because I has spent the prior 7 or 8 years dedicated to Domino and a few before that to Novell. But this sounded like a great challenge so I started with Tivoli Directory Integrator (truly remarkable product in my opinion) to build assembly lines to connect to Novell, Active Directory, and Domino Directory servers pulling user accounts into Tivoli Directory Server. But, I said, "What about the users' passwords?". We can easily pull all these identities into an enterprise LDAP just fine, but we will ultimately be talking about over 200,000 users. How will we maintain a password policy? How will we convey to these users what their original name and password is and prompt them to change it after their first login? That's a job for Tivoli Identity Manager. Now to take a step back, why would we build this enterprise LDAP in the first place? WebSphere Portal and any portal delivered applications is the answer. So the primary driver for building the LDAP was to allow all of these users to login and access applications we intend to roll out. Early on we knew that TIM and TAM would be required so when we finally purchased that software and started to install and play around with it, a few things became clear to me:

1.) I had a lot more to learn about the Tivoli software
2.) This project was going to be a long and hard one

Both of these things spell challenge to me and I really love a challenge. So I committed to learning all I can about TIM, TAM, TDS, and the various ways to deal with Identity Management.. But to become an expert in this field will require something more than I can get by staying here in this job. As much as I loved my current position, it's going to take a different type of job for me to really learn this stuff. Alas, I am leaving my role in K-12 education and joining IBM Premium Business Partner Strategic Computer Solutions, Inc. out of Syracuse, NY. With this new position, I'll be on an accelerated pace of learning and I'll be exposed to more experts in the field than if I stayed here. I anticipate the change to be a positive career move which should enable me to make a difference in many more ways down the road. I'm psyched about the new opportunity and look forward to adding value to the Tivoli brand and of course the SCS team.

So, I'm working on moving this blog so that I can continue posting my experiences with the Tivoli Security software along the way. Hopefully my postings will somehow help someone else who has to go through the same learning curve I am going through. And since there aren't really any bloggers out there for TIM and TAM, hey it's something new to talk about. OK, not exactly as exciting as Notes and Domino, but middleware is not all that glamorous. So what.

Monday, February 5, 2007

VA déjà vu

It happens again and again. People's identity data is compromised by the loss of a computer, hard drive or some system gets hacked. In fact for the VA this is tragically the second time in only months. See Computerworld {Link}. It's just unbelievable to me that these employees need to work with thousands of records on a local drive for any reason. First of all the article isn't clear how many records were compromised. Is it 48,000 or 20,000? I wish these articles would explain why these records were on an external hard drive in the first place. What project could this person been working on where he/she could not access the records as needed from a secured database or something? Why aren't the records on a server in a locked data center? Going back to May 2006 why was an employee carrying around 26 million records on a lap top? Now that would be helpful information in the article.

When I hear about these breaches it makes me stop and think about the project I've been involved in for the last 2 years and the projects coming up where I'll be dealing with employee identity data. When developing a TDI assembly line to pull user attributes from one system to another it's very common to test it with simple CSV or flat files for the source or destination of that data. I remember developing an assembly line to read thousands of users from one system and write the records to an LDAP. To test this I would first output the data to a file. This testing might occur many times over and over. These files may end up on various directories of my computer (lap top) which undoubtedly would go home with me at night. Maybe I'll stop at the Gym on the way home or the grocery store. Next thing you know my car gets broken into and I'm the next cause of a security breach at my company.

Well luckily I don't keep these files on my lap top really. Also lucky for me I don't happen to be dealing with personal information. But these security breaches have to make you stop and think if you are like me and happen to deal identity data from time to time. I guess the simple lesson is don't keep information like this on your machine. Make up a pile of bogus users if you have to test your assembly lines. If you need to test with real users do it on a secured machine that won't be sitting on the back seat of your car after 5:00pm.