Charles Ahart
Identity Management, Travel, Trials and Tribulations
Monday, November 11, 2013
Re-certification in IBM Security Identity Manager 6.0 no Person Types
I just find it a little annoying that when creating re-certifications in SIM 6, you can choose persons of type Person or BP Person, or you can choose all Persons, but if you had any custom SIM person classes defined the tool gives you no way to select your own custom Person type. Like the developers got 3/4 of the way developing this feature and said, "Oh, good enough".
Monday, February 18, 2013
What's Hot in Security?
These days, I am getting a lot of calls for security solutions. I would say we are busier than ever. Here are what people are asking us for:
1.) SIEM - Tons of customers are either ripping out old log management solutions and replacing them or they are just now getting around to implementing these. This space is fairly competitive. I'm running into McAfee Nitro, Dell SecureWorks, LogLogic, LogRythm, Tripwire and of course the one we sell QRadar.
2.) Database Security - This is a really hot area right now. So many of our customers are trying to put better controls on their databases. They want to ensure that any unacceptable database queries are stopped or at least alerted on. They want to ensure that even privileged users (DBAs) are controlled. They want to mask certain data from being seen in the tables. They want comprehensive audit reporting. And they want all this with little to no performance penalty on the database. I usually only see Imperva and Guardium in this market space although occasionally the Oracle shops tend to go for Oracle's solution. IBM Guardium rocks in this space.
3.) Application Security - We are working with quite a few customers who develop web applications in house for their Internet/Extranet, etc... There are a few spots where they are looking for help securing these applications. One is adhoc pen testing. Simply periodic testing of their web facing applications to ensure there are no new vulnerabilities. Second is during the software development lifecycle. It is widely known that its much more expensive to fix a bug after it is already deployed to production than catching it before it makes it to Prod. So scanning the source code and checking for vulnerabilities during the development process is much less expensive to resolve. AppScan is tops in this space at detecting and helping to solve these problems.
4.) Identity and Access - Many companies do this already, but I've helped companies who are on their first, second and 3rd deployments of Identity and Access. So this is not really slowing down. The interesting thing about this space is that over the last several years there has been a distinguishing line between Governance solutions and User Admin and Provisioning solutions. Many vendors have both included with-in their respective Identity Management solution, but in almost every case the Governance solution was a different acquisition from the User Provisioning solution. Anyhow this space is mature. For larger companies I am always running into Oracle and CA. We tend to recommend IBM at our company. But in smaller customers, there are many other options out there such as Microsoft, Sailpoint, Aveksa, Centrify and Courion. Sometimes we recommend a combination. We occasionally like an Aveksa + IBM solution for Identity Management. IBM's most flexible and mature provisioning solution accompanied by the user friendly governance offering from Aveksa is sometimes a great match. The options are plentiful.
5.) Privileged User Management - This comes up a lot with customers these days. Controlling what the root and admin users are doing is very important to those who are heavily regulated. The vendors I run into most in this space are CyberArk and Centrify. CyberArk seems to be a favorite among many people. They like the fact that it records video of what the admins are actually doing. Pretty cool. Centrify is a nice solution as well. IBM release a PIM solution at the end of 2012 which integrates its Identity Management offering + ESSO. Check in and check out the privileged user accounts, audit who uses the accounts and what did they access, etc....
We run into plenty of infrastructure projects as well Firewalls, IDS/IPS, etc...., but every day I get a call about one of the 5 above and not necessarily in that order. Security is very hot right now.
1.) SIEM - Tons of customers are either ripping out old log management solutions and replacing them or they are just now getting around to implementing these. This space is fairly competitive. I'm running into McAfee Nitro, Dell SecureWorks, LogLogic, LogRythm, Tripwire and of course the one we sell QRadar.
2.) Database Security - This is a really hot area right now. So many of our customers are trying to put better controls on their databases. They want to ensure that any unacceptable database queries are stopped or at least alerted on. They want to ensure that even privileged users (DBAs) are controlled. They want to mask certain data from being seen in the tables. They want comprehensive audit reporting. And they want all this with little to no performance penalty on the database. I usually only see Imperva and Guardium in this market space although occasionally the Oracle shops tend to go for Oracle's solution. IBM Guardium rocks in this space.
3.) Application Security - We are working with quite a few customers who develop web applications in house for their Internet/Extranet, etc... There are a few spots where they are looking for help securing these applications. One is adhoc pen testing. Simply periodic testing of their web facing applications to ensure there are no new vulnerabilities. Second is during the software development lifecycle. It is widely known that its much more expensive to fix a bug after it is already deployed to production than catching it before it makes it to Prod. So scanning the source code and checking for vulnerabilities during the development process is much less expensive to resolve. AppScan is tops in this space at detecting and helping to solve these problems.
4.) Identity and Access - Many companies do this already, but I've helped companies who are on their first, second and 3rd deployments of Identity and Access. So this is not really slowing down. The interesting thing about this space is that over the last several years there has been a distinguishing line between Governance solutions and User Admin and Provisioning solutions. Many vendors have both included with-in their respective Identity Management solution, but in almost every case the Governance solution was a different acquisition from the User Provisioning solution. Anyhow this space is mature. For larger companies I am always running into Oracle and CA. We tend to recommend IBM at our company. But in smaller customers, there are many other options out there such as Microsoft, Sailpoint, Aveksa, Centrify and Courion. Sometimes we recommend a combination. We occasionally like an Aveksa + IBM solution for Identity Management. IBM's most flexible and mature provisioning solution accompanied by the user friendly governance offering from Aveksa is sometimes a great match. The options are plentiful.
5.) Privileged User Management - This comes up a lot with customers these days. Controlling what the root and admin users are doing is very important to those who are heavily regulated. The vendors I run into most in this space are CyberArk and Centrify. CyberArk seems to be a favorite among many people. They like the fact that it records video of what the admins are actually doing. Pretty cool. Centrify is a nice solution as well. IBM release a PIM solution at the end of 2012 which integrates its Identity Management offering + ESSO. Check in and check out the privileged user accounts, audit who uses the accounts and what did they access, etc....
We run into plenty of infrastructure projects as well Firewalls, IDS/IPS, etc...., but every day I get a call about one of the 5 above and not necessarily in that order. Security is very hot right now.
Tulsa, OK
Visiting some clients this week I figured I would stay in downtown Tulsa. So I booked a night at the Courtyard. The Atlas Life building was built in 1922 and they have kept a lot of the charming old doors and some of the decor which is cool. Unfortunately I drew the short straw on the view from my room.
IBM Security Brand
This is sort of old news, but for some folks its completely new stuff. For a number of years I worked with IBM products in the Lotus brand and then the Tivoli brand. Tivoli was a huge brand including many different kinds of software solutions from asset management to security. I believe there were hundreds of software titles in the Tivoli brand. The security products I worked with were a handful in the ocean of Tivoli products. But at IBM there were other handfuls of security products sprinkled through-out the other brands. With the acquisition of Q1 Labs IBM also announce a new brand called IBM Security. Like Tivoli, IBM Security is its own business unit at IBM. Most of the products from all of the other brands that had anything to do with security have been moved with-in the IBM Security organization. This is good. It helps IBM and partners articulate a consistent message and strategy to customers. From support to development the expectation is that all of the products with-in the security organization will gain more consistency in development lifecycle, and will improve integrations between all of the security products.
So for those who are not up to speed on the new product names and versions, I'll mention some here
IBM Security Identity Manager (SIM) formerly known as IBM Tivoli Identity Manager
IBM Security Access Manager for eBusiness (SAM) formerly known as IBM Tivoli Access Manager for eBusiness
IBM Security Access Manager for Enterprise Single Sign On (SAM ESSO) formerly known as IBM Tivoli Access Manager for Enterprise Single Sign On
IBM Security Directory Server formerly known as IBM Tivoli Directory Server
You kind of get the idea. The acronyms are as silly as ever.
But there are other products from IBM which we are doing much more with:
IBM Security Identity and Access Assurance for one is a bundle of all of the IAM products and later in the year will likely include a SIEM solution again.
QRadar SIEM is a top notch security intelligence solution in the SIEM space and probably one of the best acquisitions IBM has made in security.
InfoSphere Guardium is another great IBM product top notch in data security.
AppScan is also head and shoulders above its competition in many ways and the market shows it.
So with all of these great solutions under one brand and the security division being led by a security guy, it has been very busy for us IBM leaning security people lately.
So for those who are not up to speed on the new product names and versions, I'll mention some here
IBM Security Identity Manager (SIM) formerly known as IBM Tivoli Identity Manager
IBM Security Access Manager for eBusiness (SAM) formerly known as IBM Tivoli Access Manager for eBusiness
IBM Security Access Manager for Enterprise Single Sign On (SAM ESSO) formerly known as IBM Tivoli Access Manager for Enterprise Single Sign On
IBM Security Directory Server formerly known as IBM Tivoli Directory Server
You kind of get the idea. The acronyms are as silly as ever.
But there are other products from IBM which we are doing much more with:
IBM Security Identity and Access Assurance for one is a bundle of all of the IAM products and later in the year will likely include a SIEM solution again.
QRadar SIEM is a top notch security intelligence solution in the SIEM space and probably one of the best acquisitions IBM has made in security.
InfoSphere Guardium is another great IBM product top notch in data security.
AppScan is also head and shoulders above its competition in many ways and the market shows it.
So with all of these great solutions under one brand and the security division being led by a security guy, it has been very busy for us IBM leaning security people lately.
End of Life or New Beginning
I was inches from killing this blog once and for all. For the past 2 years it sat idle collecting spam mainly. Every now and then I would meet someone in my IBM circles who would say, "hey I think I've read your blog". I'd replay, yeah I should really get out and do something about that thing.
Anyhow, Lots of reasons to not keep this thing going. For one, I found it hard to mention in too much detail the kinds of things I was doing at customers sites. Just trying to cleans the information was a task. Second, it really did not attract a whole lot of input from the outside. More often then not, someone was asking me a question about a problem they were having which would lead me on a wild goose chase to try and find a solution. I hate not replying to people, but then again, I have a full time job already. Thirdly, the material is a bit boring at times.
Well, times change and in my current role I actually do have more I could blog about than before. But it still takes effort to get out here and say something half way intelligent.
So here it goes. I'm going to try this again for a while and see if I can keep it up. If it goes stagnant again, I'll just kill it altogether.
Anyhow, Lots of reasons to not keep this thing going. For one, I found it hard to mention in too much detail the kinds of things I was doing at customers sites. Just trying to cleans the information was a task. Second, it really did not attract a whole lot of input from the outside. More often then not, someone was asking me a question about a problem they were having which would lead me on a wild goose chase to try and find a solution. I hate not replying to people, but then again, I have a full time job already. Thirdly, the material is a bit boring at times.
Well, times change and in my current role I actually do have more I could blog about than before. But it still takes effort to get out here and say something half way intelligent.
So here it goes. I'm going to try this again for a while and see if I can keep it up. If it goes stagnant again, I'll just kill it altogether.
Tuesday, January 12, 2010
Signed up for Pulse 2010 yet?
Granted the recession of late has curtailed spending all around, but for many IT departments there are still a number of high priority projects especially in security. If you are already an IBM shop, the Pulse conference is a great way to get a deeper look into the products and solutions that you are considering for the new year. You will spend the time and money doing this research anyhow. Why not come out to Vegas for a look under the hood?
Pulse represents a pretty large swath of products. Unlike Lotusphere which focuses Lotus and Portal, the Pulse conference covers all things Tivoli. There are over 300 products in the Tivoli brand so this conference is a bit different than Lotusphere. If you are into Asset Management or Performance and Monitoring, there are specific tracks for you. If you are interested in Security, there is a whole other track for you as well. Within each area, there are a number of presentations from customers demonstrating recent deployments where you will get the real scoop on what their projects were like, the good and the bad. This alone is worth the visit if you are planning a project with Tivoli software this year. Also, you can stop in the hands on labs and actually work directly with the software so that you can get a feel for how the product really works. The labs are staffed by the IBM education team and there are some really sharp people there who can work through the labs with you.
Pulse also has areas setup where you can "ask the experts" just about anything. These are basically casual "sit down and chat" spaces where you can be face to face with folks from the product development teams and ask questions. Nothing is too complicated that you cannot get an answer at Pulse.
Business Partners and 3rd party vendors setup shop in the showcase floor to show you how they implement the IBM solutions. You may get some really good ideas from these folks how best to leverage the IBM solutions as well as find help getting started with an implementation.
The technical sessions are a great way to get a look at some of the other products and solutions you may not have thought about before. There is something here for everyone from c-level folks right down to the hands on IT person so I recommend you come on out and see for yourself. It's well worth the expense.
BTW, the recreation is not all bad either. While I do not enjoy gambling, being in Vegas is a spectacle. The Pulse Palooza isn't a bad time either. Free beer!
Register for Pulse 2010 --> http://www-01.ibm.com/software/tivoli/pulse/
Get a look at what's going on at Pulse 2010 --> https://www-950.ibm.com/communities/service/html/communityview?communityUuid=dd8bf011-85af-48da-a4dd-21047a08c33e
Pulse represents a pretty large swath of products. Unlike Lotusphere which focuses Lotus and Portal, the Pulse conference covers all things Tivoli. There are over 300 products in the Tivoli brand so this conference is a bit different than Lotusphere. If you are into Asset Management or Performance and Monitoring, there are specific tracks for you. If you are interested in Security, there is a whole other track for you as well. Within each area, there are a number of presentations from customers demonstrating recent deployments where you will get the real scoop on what their projects were like, the good and the bad. This alone is worth the visit if you are planning a project with Tivoli software this year. Also, you can stop in the hands on labs and actually work directly with the software so that you can get a feel for how the product really works. The labs are staffed by the IBM education team and there are some really sharp people there who can work through the labs with you.
Pulse also has areas setup where you can "ask the experts" just about anything. These are basically casual "sit down and chat" spaces where you can be face to face with folks from the product development teams and ask questions. Nothing is too complicated that you cannot get an answer at Pulse.
Business Partners and 3rd party vendors setup shop in the showcase floor to show you how they implement the IBM solutions. You may get some really good ideas from these folks how best to leverage the IBM solutions as well as find help getting started with an implementation.
The technical sessions are a great way to get a look at some of the other products and solutions you may not have thought about before. There is something here for everyone from c-level folks right down to the hands on IT person so I recommend you come on out and see for yourself. It's well worth the expense.
BTW, the recreation is not all bad either. While I do not enjoy gambling, being in Vegas is a spectacle. The Pulse Palooza isn't a bad time either. Free beer!
Register for Pulse 2010 --> http://www-01.ibm.com/software/tivoli/pulse/
Get a look at what's going on at Pulse 2010 --> https://www-950.ibm.com/communities/service/html/communityview?communityUuid=dd8bf011-85af-48da-a4dd-21047a08c33e
Friday, January 8, 2010
TAM ESSO v8.1 - Are you ready for WebSphere?
Installing a standalone TAM ESSO IMS Server took about 2 hours to install including the database. That was version 8.0. IBM released version 8.1 this past December and I spent this week going through the upgrade process to see what will be in store for folks who want to jump right into the new stuff. It didn't take the whole week to do this upgrade, however I had to take it slow so that I could capture documentation for future reference.
The big news is that TAM ESSO v8.1 requires IBM WebSphere Application Server. When I first saw this I thought "ugggh". But the reality is that you had to know this was coming and it makes sense to run IBM's single sign on solution on their own application server.
This changes a lot though. First off, deployments will take a little longer. The fact is, even with the wizard installation tools, WAS is still a big pile of software to install. You also need IBM HTTP Server. Both need to be patched once you install them and you can't even patch the software until you download the patch installer first (IBM UpdateInstaller). But Windows shops should be used to that anyhow as you need install Microsoft's update software in order to get Windows updates.
First, is the upgrade worth it? Of course. If you want the best support for your software keep on the latest and greatest. Everyone has heard the same thing on a typical tech support phone call where the support guy asks,"What version of software are you running?" and you say, "1.2". No doubt the support guy will suggest you try the latest version. Sometimes it really comes down to which version has the fewest warts? Because you know that the latest version of software will have something wrong with it, but you hope the latest has fewer warts than the older version and lets face it, which version is getting the most attention?
The new version of TAM ESSO does not look any different than the prior release as far as the end user is concerned. But when you think about it, if TAM ESSO is doing it's job, the user does not even know it is there. All the user knows is that they login to Windows, launch their applications and they are magically signed in. Not much to see there. But, for the implementer or tech support team there is plenty to be happy about in the new release.
1.) IBM has opened up the doors to more 2 factor devices. Generic smart card support – this will leverage 3rd party products for smart card life cycle management and leverage windows smart card authentication for certificate authentication. Also Serial ID Service Provider Interface (SPI) has been introduced to allow any vendor with a serial ID device to integrate with TAM ESSO. BIO-Key support has been added which will also widen the choices of 2-factor devices supported.
2.) Wider platform coverage. Windows 7 is coming and shops already starting to buy machines with Windows 7 want to be sure AccessAgent will work. While IBM does not list Windows 7 specifically in the compatibility list, Kiosk support has been added for Vista and 64-bit Windows is supported for AccessAgent although there may be some issues with certain 3rd party strong authentication devices. Word on the street is that Windows 7 will show up on the list when it is Microsoft certified.
3.) New features in AccessStudio should make profiling a little easier. The undo button is a nice option we take for granted in Word documents. I like it in AccessStudio very much. Another really nice feature that was added is the ability to take an existing trigger and convert it to a different type. To me that's a welcome new enhancement. The ability to save your profile as an image was there in version 8.0.1, but it's listed as a new feature for 8.1. I like it nonetheless so thanks IBM. Enhanced logging messages are also a big help. Any time they make improvements to this area, I'll welcome it.
4.) Firefox finally! I knew a lot of people that were really turned off by the lack of support for Firefox. At first I was a little the same way, but I got used to using both IE and Firefox anyhow for reasons that have nothing to do with SSO. I look forward to working with Firefox in profiling.
Well, I'm off to another SSO project. Stay tuned for more on this later.
The big news is that TAM ESSO v8.1 requires IBM WebSphere Application Server. When I first saw this I thought "ugggh". But the reality is that you had to know this was coming and it makes sense to run IBM's single sign on solution on their own application server.
This changes a lot though. First off, deployments will take a little longer. The fact is, even with the wizard installation tools, WAS is still a big pile of software to install. You also need IBM HTTP Server. Both need to be patched once you install them and you can't even patch the software until you download the patch installer first (IBM UpdateInstaller). But Windows shops should be used to that anyhow as you need install Microsoft's update software in order to get Windows updates.
First, is the upgrade worth it? Of course. If you want the best support for your software keep on the latest and greatest. Everyone has heard the same thing on a typical tech support phone call where the support guy asks,"What version of software are you running?" and you say, "1.2". No doubt the support guy will suggest you try the latest version. Sometimes it really comes down to which version has the fewest warts? Because you know that the latest version of software will have something wrong with it, but you hope the latest has fewer warts than the older version and lets face it, which version is getting the most attention?
The new version of TAM ESSO does not look any different than the prior release as far as the end user is concerned. But when you think about it, if TAM ESSO is doing it's job, the user does not even know it is there. All the user knows is that they login to Windows, launch their applications and they are magically signed in. Not much to see there. But, for the implementer or tech support team there is plenty to be happy about in the new release.
1.) IBM has opened up the doors to more 2 factor devices. Generic smart card support – this will leverage 3rd party products for smart card life cycle management and leverage windows smart card authentication for certificate authentication. Also Serial ID Service Provider Interface (SPI) has been introduced to allow any vendor with a serial ID device to integrate with TAM ESSO. BIO-Key support has been added which will also widen the choices of 2-factor devices supported.
2.) Wider platform coverage. Windows 7 is coming and shops already starting to buy machines with Windows 7 want to be sure AccessAgent will work. While IBM does not list Windows 7 specifically in the compatibility list, Kiosk support has been added for Vista and 64-bit Windows is supported for AccessAgent although there may be some issues with certain 3rd party strong authentication devices. Word on the street is that Windows 7 will show up on the list when it is Microsoft certified.
3.) New features in AccessStudio should make profiling a little easier. The undo button is a nice option we take for granted in Word documents. I like it in AccessStudio very much. Another really nice feature that was added is the ability to take an existing trigger and convert it to a different type. To me that's a welcome new enhancement. The ability to save your profile as an image was there in version 8.0.1, but it's listed as a new feature for 8.1. I like it nonetheless so thanks IBM. Enhanced logging messages are also a big help. Any time they make improvements to this area, I'll welcome it.
4.) Firefox finally! I knew a lot of people that were really turned off by the lack of support for Firefox. At first I was a little the same way, but I got used to using both IE and Firefox anyhow for reasons that have nothing to do with SSO. I look forward to working with Firefox in profiling.
Well, I'm off to another SSO project. Stay tuned for more on this later.
Subscribe to:
Posts (Atom)