Many of our customers are implementing or considering the implementation of hosted application services (aka SaaS).  The benefits are obvious because your support burden is reduced whether that be due to increased resource utilization, hardware savings, software savings or otherwise. 

For the sake of this article, let’s use the example of implementing hosted email services by Google.  Google Apps is a great solution for commercial, non-profit and public organizations.  The Google infrastructure is better than most organizations could provide themselves.  Your internal customers have 24/7 access to their email, calendar, docs and other services provided by the Google Apps offering.  As an IT department, you no longer maintain your email infrastructure.  You no longer have to keep internal resources trained on your email system and you can now take back those resources that were dedicated to supporting email and reassign them to other projects.  All of this is great and seems like a no-brainer for many organizations.

The truth is, you do still have some management burden.  Even though you don’t support a local email system, you still are responsible for setting up and managing your user accounts for Google Apps.  You will still get the call when users can’t access Google Apps because they don’t have an account, they are disabled or they don’t recall their password.  Many IT departments are disappointed to see the lack of tools available to automate this process.  Google does provide a directory synchronization tool but it isn’t perfect.  Password management is an all together different issue.  Although this isn’t the basis for this article, it is worth noting that Identity Automation has a Google Adapter for DSS the can fully automate the management of users and groups in Google.  This solution absolutely deals with much of the pain associated with managing Google Apps accounts, but I digress.  The point of this article is to specifically discuss passwords regarding hosted services.

Back to our Google Apps example, our adapter is capable of taking passwords from your internal directory service and synchronizing those to the matching Google Apps account.  This is a great solution but it can raise security concerns.  Google hosts their Google Apps in a high security facility.  Their employees are well vetted.  That doesn’t mean every hosted services provider goes through the same pains regarding security.  The alternative?  SAML!

Many hosted services providers support SAML for authentication.  Google Apps, Salesforce.com, Zendesk and Zoho to name a few.  A system that supports SAML as a means for authentication is referred to as a Service Provider (SP).  An SP requires the availability of an Identity Provider (IdP).  When a user accesses Google Apps (with SAML configured), they will not authenticate directly against the Google servers.  Instead the SP (Google in this case) will refer the user’s browser to the IdP.  Our ARMS and/or DSS products both act as an IdP.  The IdP is configured to authenticate users against your internal directory service such as Active Directory.  That means when a user accesses Google, to a redirected to your ARMS (or DSS) appliance where they will log in with their network credentials.  The same credentials they use to log into their office workstations.  Once authenticated, the IdP passes a secure token that tells the SP that you successfully authenticated and informs the SP who you are in its system.

SAML is important to your organization as you move more towards relying on hosted services.  Without SAML you are storing credentials in an untrusted environment.  You don’t always know how those credentials are stored and secured.  A user’s credentials in these systems likely match the same credentials used for in internal systems.  If the passwords in the hosted system are stored in an insecure fashion you’ve basically exposed access to internal systems as well.  With SAML, there is no credential stored in the hosted service providers facility.  There is zero risk of credentials being exposed and stolen.

By combining our Google Apps Adapter for DSS and ARMS with the SAML IdP service, you now have a viable option fully automating the management of accounts and providing secure SSO without the risk of storing user credentials “in the cloud”. 

Contact Us today to find out how we can provide this solution for your organization for Google Apps or other hosted services solutions.

Not a day goes by that we don’t have a conversation with a customer about some service they want to connect to that exists in the “cloud”.  There are numerous ways to handle the authentication for those services and there is increasing interest in the use of SAML for this purpose.

If you’re not familiar with SAML (Security Assertion Markup Language 2.0), it’s a “standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end-user) between an identity provider and a web service. SAML 2.0 enables web-based authentication and authorization scenarios including single sign-on (SSO).” ¹

One of the big questions when considering the use of SAML is who are you going to trust to be your SAML provider?  As we hear of more security “incidents”, organizations that we talk to are questioning the wisdom of allowing someone else to host their credential data and are interested in being their own SAML provider. With the upcoming release of ARMS 2.1.0 you will now be able to be your own SAML provider and able to direct applications that can leverage SAML for authentication, such as Salesforce.com, Google Apps, Zendesk, etc, to your system for authentication.

If you want to learn how you can implement your own SAML Authentication Provider, please contact our Sales Team today!

As school districts across the United States grapple with budget shortfalls, these same organizations face increased expectations for services to staff, students and parents.

Over the past three to five years we have seen an increase in the need for Identity Lifecycle Management needs for all district staff and we have been actively engaged with districts all across the US to implement solutions that facilitate the fulfillment of this need without creating a bottleneck in IT and minimizing the impact to the IT organization.  As districts step out to provide services to students, the need for automation becomes increasingly important due to the sheer number of accounts that must be managed.  Adding parents to the list of users makes the task of automated account management absolutely paramount.  We have also found that it is just as important to provide facilities for users to manage their accounts (e.g. password recovery, user association, etc) so the users are able to achieve their goals as quickly as possible without having to rely on Helpdesk or other staff to manage their accounts for them.

Our Data Synchronization System and Access Request Management System are the most cost effective tools on the market today that achieve these goals without adversely impacting your budget.

If you want to learn how you can implement a fully automated Identity Lifecycle Management system in these lean times so you are able to meet the demands of your customers yet do so at a very reasonable cost, please contact our Sales Team today!

Protection of your organization’s data assets is critical to ensuring your competitive edge as well as to fulfilling your fiduciary responsibility.  Failure to implement systems to guarantee the enforcement of company policies for data access can cause serious legal troubles and shake the confidence of your customers.

Following is a recent story that documents how a terminated employee still has access to his former employer’s computers systems months after his departure.

New Zealand Herald - Telecom’s customer data open to ex staff

Identity Automation’s Identity, Data and Access Management solutions can ensure that your organization enforces best practices to mitigate these types of risks.

For more information, contact our Sales Team today!

Recently I was reviewing some provisioning statistics for one of our customers using our ARMS and DSS products.  I see these statistics on a daily basis because we build that into all of our IDM solutions.  This week I took a minute more to really look at the numbers and put them in perspective.  Here are the statistics for student provisioning at this customer site for a 24-hour period:

Now these numbers are only a subset of the total transactions that are automated or delegated outside of the IT department using our products.  For example, these numbers don’t include staff provisioning transactions or password resets.

With that in mind, how many staff would be required to deal with this many transactions on a DAILY basis?  The reality is that each transaction, when done manually, takes quite a bit of time.  It requires time to request the change, review the change, implement the change, validate the change and communicate the change.  To put a number to that, let’s say each transaction requires a total person effort of 10 minutes.  Using the numbers above, that totals 19,190 minutes (or 319 hours or 40 days)!!

The reality is no organization can handle that load from a resource perspective.  The obvious deduction then is that these transactions just aren’t occurring without “full” automation.  By that I mean an automated solution that deals with all of these transactions, not just one or two transactions.  That means many accounts are not getting created, updated, moved, disabled, etc. either in a timely manner or at all.

Another way to look at the value is to put a cost to each transaction.  How much does is cost an organization to deal with these transactions manually?  Research firms often use $25 as a per transaction cost.  This includes factors such as the salaries, benefits, lost work, etc.  Using our transaction numbers above, the daily cost for handling every transaction would be $47,975/day or a whopping $12,473,500/year!!

Now, I’m not saying you’ll save $12 million a year by automating your account management.  The point is that automation is absolutely a great value for any organization.  Again, this is only one piece of the IDM puzzle.  This doesn’t cover other features offered by our ARMS and DSS products to provide delegated administration, group membership automation, contingent worker management and workflow.  It also doesn’t cover the audit and compliance benefits that are gained by keeping track of all events related to identity.

I sent an email to the customer who’s numbers are reflected above.  Here’s the response:

“Incredible. I did not think we had that much volume.  A very effective investment!”

The reality is that most organizations don’t have a baseline for how many identity-type transactions they manage on a daily basis.  That is usually not realized until after the automated solution is put into place (assuming the solution tracks those statistics).  Every organization is different.  The volume of transactions is also going to be different.  Regardless, identity management is important to all organizations. The primary benefit for each organization could be costs savings, reducing errors, compliance, improved customer satisfaction or some other factor.  All of these are valid and the reality is that all of them are achieved every time we implement our products.

For more information about our solutions, contact our Sales Team today!

The list of regulatory and other mandates that require some level of Identity Management is ever growing. Having a documented process and then relying on people to follow those processes is not enough to ensure compliance to these mandates. The only real solution to mitigate process breach is to implement systems to guarantee access controls.

If your organization is subject to CFATS, SOX, HIPPA, FISMA, FERPA, PCI or any other mandate that requires auditable access controls then the implementation of an Identity Management and Workflow system are imperative to ensuring compliance.  That being said, all IDM and Workflow solutions are not the same!  Before making a technology choice, be sure that the solution you choose is easy to use and does not overly burden your staff or create bottlenecks and roadblocks that could hinder productivity.

Identity Automation has years of experience implementing solutions to fully manage the Identity Lifecycle within computing systems across the enterprise and are experts at access control and workflow which are at the heart of effective implementations of these systems.

For more information, contact our Sales Team today!

As we have the privilege of talking to customers about their Identity Management needs, one of the requests that comes up over and over again is around the delegation of Account Management. 

There are many use cases where delegation makes sense. One that we run into daily is the need for teachers to be able to unlock accounts or reset passwords for students. Allowing this capability to flow to the teacher level greatly improves user experience, ensures immediate resolution to the user’s problem while freeing IT up to focus on more strategic initiatives.

Another use case is giving managers the ability to reset passwords for employees.  Just like the example above, delegating this responsibility improves user experience while shifting the responsibility to those closest to the challenge.

If you need a solution that requires a some level of delegated account administration with complete audit capabilities, give us a shout and let us see how we can help.

We work with organizations every day that consume a number of their services from “the cloud”.  For many commercial and government customers these are services like Google Apps or Zendesk.  For education customers, we see a lot of Live@EDU, Google Apps and Raptor V-Soft but the list of service providers is endless.

We all know that managing identity and access within our internal systems is challenging enough and the idea of extending this to cloud based services can be the cause of a lot of concern.

One way to deal with this is to implement an on premise Identity Management solution using tools such as our Data Synchronization System (DSS) and Access Request Management System (ARMS). Another option is to leverage our hosted solutions for synchronization, which we offer for systems such as Zendesk, KeepnTrack, Google Apps, Live@EDU and Raptor V-Soft.

Taking this approach means quick implementation, reduced burden on IT staff, increased service-levels and fast ROI.

If you would like to learn more about our hosted and on premise Identity, Data and Access Management solutions please contact us today.

I have been around Information Technology for 20 years and managing Privileged User Access has always been a challenge.

Different organizations handle this issue in different ways.  Some choose to share the password for super user accounts (root / administrator) with folks across the IT department so work can be done without hindrance.  The problem with this approach is you can’t tell who did what since the logs don’t actually reveal who the account user was.  There is also the issue around password changes for these accounts which oftentimes never occurs because communication of those changes is too painful.  Other organizations come at the problem from another perspective.  Rather than sharing the password for the super user account, they instead, perpetually elevate certain users to a super user status.  This approach is better since activity is now logged at the user level but having too many users with such highly elevated privileges is not a best practice and depending on your organizations account management process could leave the organization at risk if one of these users is terminated.

A far better approach is to grant access to super user privileges only when it’s required and for a limited period of time.  Identity Automation’s ARMS Workflow system provides a way of doing exactly that.  Implementation can be as unique as the organization; following are some examples.

• Create a workflow request that allows members of a certain group to be automatically granted super user status for a limited duration of time upon initiating their request.  After the prescribed amount of time has elapsed, super user access will automatically be revoked.
• Create a workflow that allows members of IT to request super user access but require approval from an IT manager or Director before access is granted. After a certain amount of time, the access would be automatically revoked.
• Create a workflow that allows certain members of IT to “check out” the Administrator account so they can perform certain administrative functions.  After a prescribed period of time the Administrator account password is automatically changed and the Administrator “assignment status” is reset.

The possible implementation scenarios are endless but the important thing is to have a viable solution in-place that ACTUALLY works and limits risk to the organization, is scalable and is fully auditable.

For more information on how you can use ARMS Workflow to manage Privileged User Access, please submit your contact information and one of our sales representatives will contact you.

Taking on a new solution, even one designed to lower costs, manage growing complexities, and mitigate ongoing risks, always carries a cost of ownership.  This is seen in software maintenance costs, often times an increased server footprint, and even in continued staff training and keeping their skill sets current on the technology.  More and more, we have to look beyond the benefit of the solution to the organization, and weigh carefully the total costs of owning the solution.

We consider all information technology assets and solutions moving in the direction of “the cloud.”  Organizations want to capitalize IT, and remove it from their overhead as much as possible. To do this organizations are looking more and more at hosted solutions, software-as-a-service vendors, and outsourced IT.

A couple of years ago, there was no strategy to deliver Identity Management Solutions in any way other than a significant server footprint on-site, typically occupying multiple servers (physical and VM) with high availability and fail-over.  This data center growth to accommodate the solution impinged on any immediate ROI, and made the solution more costly to manage in the long term. 

With our shift in strategy we fully embrace the new hosted and service oriented delivery of identity management, giving our customers a turn-key identity management solution without the need to parse out data center space, or to keep their staff resources concerned with new technology.  Identity management for our customers is now a service that is out of the day to day concern, and provides automated provisioning and workflow management through a simple web-UI that is both intuitive and clean.  As customer needs shift, or changes are required to the solution to accommodate internal policy, we manage the solution to bring it into alignment.

This strategy is proven to lower TCO, and allows our customers to achieve a real ROI in a fraction of the time of a traditional IDM deployment.

For more information on how our solutions can help lower your TCO, please submit your contact information and one of our sales representatives will contact you.