Taking on a new solution, even one designed to lower costs, manage growing complexities, and mitigate ongoing risks, always carries a cost of ownership.  This is seen in software maintenance costs, often times an increased server footprint, and even in continued staff training and keeping their skill sets current on the technology.  More and more, we have to look beyond the benefit of the solution to the organization, and weigh carefully the total costs of owning the solution.

We consider all information technology assets and solutions moving in the direction of “the cloud.”  Organizations want to capitalize IT, and remove it from their overhead as much as possible. To do this organizations are looking more and more at hosted solutions, software-as-a-service vendors, and outsourced IT.

A couple of years ago, there was no strategy to deliver Identity Management Solutions in any way other than a significant server footprint on-site, typically occupying multiple servers (physical and VM) with high availability and fail-over.  This data center growth to accommodate the solution impinged on any immediate ROI, and made the solution more costly to manage in the long term. 

With our shift in strategy we fully embrace the new hosted and service oriented delivery of identity management, giving our customers a turn-key identity management solution without the need to parse out data center space, or to keep their staff resources concerned with new technology.  Identity management for our customers is now a service that is out of the day to day concern, and provides automated provisioning and workflow management through a simple web-UI that is both intuitive and clean.  As customer needs shift, or changes are required to the solution to accommodate internal policy, we manage the solution to bring it into alignment.

This strategy is proven to lower TCO, and allows our customers to achieve a real ROI in a fraction of the time of a traditional IDM deployment.

For more information on how our solutions can help lower your TCO, please submit your contact information and one of our sales representatives we will contact you.

The strength of user passwords sets the bar for the strength of an organization’s defenses against “bad guys” gaining access to valuable organizational resources.  For that reason alone, it is of paramount importance that a best practice password policy is implemented and enforced.

Following are a few guidelines to consider when thinking about password and access policy for your organization:

• Require STRONG passwords and enforce their use with technology.  Educate your users so they understand that strong doesn’t have to mean difficult.  Encourage them to use words that mean something to them (but not the names of family or pets) and use a technique of replacing certain letters with symbols or numbers so the user can, more easily, remember the password.  Mixing case is also important.  The key is to find a technique and always use that technique.  An example might be to always capitalize the first letter and last letter of the word, use “@” instead of “a” and “0” instead of “o”  (e.g. P@ssw0rD)
• Treat your passwords like you treat your underwear; change them often and don’t leave them lying around.  REQUIRE regular change.  There is plenty of debate around the effectiveness of requiring regular password changes but requiring changes every 90 to 120 days, in theory, should result in a more secure environment.  The best example of why this might be effective is that a change thwarts the “bad guy” in a situation where an account has been compromised and is being used to snoop and steal data.
• Bigger IS better.  The longer the password, the likelihood that it can be cracked is significantly reduced.  A minimum of eight characters is best practice but if you can get away with it push for strings in excess of 10 characters.
• Implement a synchronization system so that a password change in one place (e.g. Active Directory) is captured and pushed to all other systems within the organization.  This improves user satisfaction and increases security by ensuring that passwords are changed on a regular basis in all systems, even if some of those systems are infrequently logged into by their users.
• Require two-factor authentication when accessing very sensitive data or when accessing data from off-site.  Two-factor does NOT have to equal expensive.  There are USB solutions, for example, that can be implemented and are just as effective as more expensive options.  This combined with an effective password strategy can greatly increase security because now it’s more than what you know, what you have becomes just as important.
• Educate, Educate, Educate!  Make sure your user community understands that their passwords are the organization’s primary defense against valuable data loss.  Passwords should never be written down nor should the password ever be a word that can be found in the dictionary (see bullet one). Users should be trained to notify the IT department (or the security team, if one exists) if they suspect that their account has been compromised.  Don’t forget the help-desk team either.  Help-desk staff should be educated to avoid social-engineering techniques that are used every single day to acquire passwords by “tricking” support staff into resetting an account’s password and sharing that password with someone other than the account owner.

For more information on implementing effective password and access policies and automated mechanisms to manage them, please submit your contact information and one of our sales representatives we will contact you.

While working with our customers, we are regularly surprised to find so little continuity in the way that many organizations handle their data integration. 

Usually these conversations arise because a customer needs a way to feed existing data into another system.  As you can imagine, this is a very common scenario.  What’s surprising, however, is how often the movement of this data is done in an ad-hoc fashion.  This ad-hoc approach results in all types of uncontrolled data extractions with equally uncontrolled data hand-offs. 

By “uncontrolled” I mean that these scripts that are used to extract data are rarely managed in a centralized fashion.  As time goes on administrators leave the organization and relationships with partner organizations (with whom you were sharing data) are terminated, yet the scripts are forgotten and continue to run.

An approach that we take with our customers is to centralize all data management using our Data Synchronization System.  This allows all data extraction, data transformation and data insertion functions to reside in a central location so they can be properly managed. With this approach, administrators can see all the scripts that touch their data sources and regularly validate their place in the environment.  This is a much better model and one that can significantly lower risk to the organization.

In this world of ever increasing risk of being in violation of a compliance requirement or an embarrassing incident due to uncontrolled data access, it is of paramount importance to take all necessary steps to control data extracts.

If you are unsure of your risk, call Identity Automation today to learn more about our Data Security Assessments.

If you would like to be contacted by a Sales Representative, please submit your contact information and we will contact you as quickly as possible.

Every organization running more than one system has a need to synchronize data. For different systems the type of data may be different but it is still just data. In all cases you have a “source” system and a “target” system. Wikipedia defines data synchronization as “the process of establishing consistency among data from a source to a target data storage and vice versa and the continuous harmonization of the data over time.”

The reasons for synchronizing data are infinite. We typically synchronize data based on one of three broad categorizations: application integration, business intelligence and identity provisioning.

Application integration fills the need of directly synchronizing business data directly between otherwise disparate systems. In a corporate environment this might mean synchronizing inventory data from an inventory tracking system to an ordering system. In an education environment data synchronization is used for cases like synchronizing “free and reduced lunch” status from a child nutrition system to a student information system. In all cases, there lies the basic need to extract data from the source, perform data transformation, implement logic and then load the resulting data into the target system.

Business intelligence requirements are slightly different. Instead of synchronizing data between systems, the focus here is to pull data from many sources to populate a central data warehouse. The primary purpose of the data warehouse is to provide a single target for defining reports that help the business operate and make decisions based on the data that it has in its various systems. For education we use that same architecture to build a student data warehouse that combines student data from systems like the student information system, child nutrition, transportation, grade book, library, etc., to provide parents with an aggregated view of their child data. In the case of business intelligence, data synchronization is key; however, we are still abiding by the same basic principle that we are simply moving data from source to target, with some intelligent logic in between.

Finally there is the matter of identity provisioning. Identity provisioning is a wonderful example of data synchronization. For this purpose you can automate account creation and lifecycle management by synchronizing identity information from your authoritative systems such as your HR or Payroll application. In those systems you track hires, job assignments, manager relationships, transfers, terminations, etc. By extracting and transforming this data, you can create accounts, manage group memberships, move accounts, disabled accounts, etc, without any human intervention. Even though these solutions can be extremely complex, one thing remains true: we pull data from a source system, we transform and perform logic operations on the data, and we push that data to a target system.

In case you feel like none of these scenarios are applicable to your organization, ask yourself this: Do we export text files and send them off to some person or organization? Do you receive files from elsewhere and import them into your systems (after perhaps some manually data cleansing). Do you get a spreadsheet of events and then use that information to manually make changes in your systems? If you answer yes to any of these, then this is very applicable to you. File import/export/transfer, etc. is definitely included in the application integration category. Same with manual entry BASED on data from another system. Notice above I did not specify the means of synchronizing the data, just that data from a source was synchronized to a target system.

So, why does this matter? Why am I so interested in the topic of data synchronization? Well, the reason is simple and, for me, very exciting. Let me explain. I’ve been in the IT industry since 1991 when I joined the USMC as a computer programmer. Since that time I have dealt with every data synchronization method possible. Since 1998 my job has strictly focused on this very subject. It’s been called many things but really I’ve specialized in data synchronization solutions. One thing I’ve learned to be certain is that the technology that is available on the market today is too complicated and too resource intensive! Customers are required to spend significant dollars to implement these solutions and then can’t support them once implemented. Projects can take months, sometimes years, to deploy. Today I came across a quote by Albert Einstein. It is now my favorite quote of all time: ” Any intelligent fool can make things bigger and more complex… It takes a touch of genius and a lot of courage to move in the opposite direction.” I couldn’t have said it any better myself, Albert!

I’m proud to say that Identity Automation is building software that is all about getting back to the data basics. Our data synchronization tool, the Data Synchronization System (DSS), was designed to be easy to learn, easy to use yet still have the capability to handle any data synchronization need. How did we do this? How did we achieve the unachievable? Simple. We focused on the basics: we are synchronizing data from one bucket to another. It doesn’t have to be any more complicated than that. Of course, the design of the user interface has a lot to do with it too. Instead of developing a tool with a lot of wiz-bang crazy cool features, we stuck to the basics. First of all, you define your projects from any flash-compatible browser running on any platform. Secondly, there is no new language to learn. All capabilities of DSS are defined as actions. These actions are listed in your browser session. To use them you drag them into your “Action Set Desktop”, click on them and fill out the appropriate property values for that action. Simple, right?

Of course, reading about it can only give you so much of an appreciation of such a tool. Please visit our product page on DSS and definitely give us a call so we can demonstrate some of those capabilities.

Those of us that work in the Identity and Access Management space, recognize that there are going to be significant changes in the IAM arena over the next few years.  One particular change will be the movement of Identity related services to the cloud thus lowering the entry cost for such services to both smaller and budget/resource challenged organizations.

This position is also held by research groups such as Gartner.  Ant Allan, Research VP for the company, said the following at an Identity & Access Management Summit in London in 2009:

“There is a continuing need in this time of economic uncertainty and budgetary constraint for cost-effective, risk-appropriate IAM methods”.

“This includes growing demand for identity-aware networking, host-based and service-based IAM offerings ... “

Well before we started to see a down-turn in the economy, the whole concept of SaaS had become very palatable to businesses.  Just as a business relies on electricity that they do not produce, so too can they consume critical infrastructure services that they do not build and manage themselves.  This particular position is being further driven by the ever increasing need to comply with both internal and external mandates which makes building such an infrastructure and developing a staff of experts to maintain it more and more difficult.

Identity and Access Management, while vitally important, are not a core competency of most organizations. The complexity of such solutions makes the idea purchasing these capabilities from a third party very desirable. 

Identity automation now has offerings that play to this specific need.  With our hosted and/or managed provisioning solution, sponsorship / attestation solution and workflow solution it is now more affordable than ever to implement an automated system that will provide full identity lifecycle management, storage provisioning and more.

If you would like to learn more about our Identity Management solutions or any other Identity Automation offering please contact us  today.

At Identity Automation, we’re passionate about security and have the opportunity to work with our customers on such issues each and every day.

We all know how important it is to ensure that proper controls are in place to minimize data security risks to the enterprise yet mishaps still occur all too frequently.  A good example of what not to do can be found in this Network World article.  The piece describes how data for 1.2 million customers of a New England financial services company was compromised because usernames and passwords were shared amongst the company’s support staff.

Had this organization implemented automated password and account management policies this disaster could have been avoided altogether.

If you don’t have an effective Identity Management solution today, you should seriously consider exploring options to minimize potential breaches that could cost your organization money and credibility.

If you would like to learn more about our Identity Management solutions or any other Identity Automation offering please contact us  today.

Back in the good old days of NetWare, if you wanted to see all registered services in SLP, you would simply type: display slp services and the full list would appear on your screen.

Fast forward to Linux and OpenSLP and you can’t do that very easily. Using a combination of slptool switches, you can eventually get all the same information, but it is cumbersome and time consuming.

The following script was written to make that job simple and quick. It will write all the services to your screen and allow you to scroll up and down the list at will. It will also write the results to a file in the /tmp directory so you can look at it again without having to run the script. This also allows you to quickly grab the results from multiple computers for comparison.

Just copy your script to each server you’d like to run it on. I recommend putting it somewhere in the path, such as /usr/local/bin. Then, you make the script executable (chmod +x ./slpshowall.sh) and you are ready to run it.

If you would like to learn more about our support services or any other Identity Automation offering please contact us today.

There was a time when user expectations were simple. Give them some text, maybe a button or two and they were content. White and black were perfectly good colors. Why would you want pictures cluttering up your 640 x 480 workspace anyway?

Times have changed and life as an application developer has changed with it. The client market is diverse. Do you develop for Windows, Mac OS/X, Linux? Firefox, Chrome, Internet Explorer (6, 7, 8)? Users don’t really care as long as your application works on whatever platform they happen to be on at that time. They also don’t care about CSS, DOCTYPEs, or JavaScript frameworks. This is where Adobe Flex comes in.

Flex is an open source framework that allows application developers to create applications that run on virtually any platform in any environment. It also allows developers that do not list Photoshop on their resume to create tools that look like they were created by a graphic designer. Flex has the ability to use MXML tags for development which feels like writing HTML or you can dive down a level and use ActionScript 3.0 to accomplish more low-level manipulation. Another perk of Flex is the ability to export your applications as a Flash .swf file for embedding in a website or as an AIR stand-alone application. Both of these methods require the client to have the Flash or AIR player, but will otherwise look and run the same on any platform. This saves countless hours of development time testing on each browser on each platform.

The web services model of application development is now nearly ubiquitous across the development space. Flex serves as a great tool for this as well. It allows you to have a powerful back-end service that leverages a language of your choice, such as Java. Your engine can then expose its web services to a Flex front end. This provides a clear separation between the engine and the user interface allowing disparate development teams to easily work on the parts best suited for their skills.

Leveraging Adobe Flex for rich client applications allows Identity Automation to rapidly develop applications that are fully featured and run in nearly any environment.

If you would like to learn more about our custom application development practice, our Flex based solutions, or other Identity Automation offerings please contact us today.

Many of our customers have found that as the number of critical applications and services increases in their environment, so does the need to deliver them to their users continuously.  Additionally, users are demanding more out of the applications, wanting customized views, dynamic data, and ad-hoc reporting.  These requirements are putting additional stress on the web servers and application infrastructure.  Often, web or application servers become overly taxed, and appear non-responsive to the users.

To address this problem, many IT organizations have implemented DNS round robin.  This is an inexpensive and quick method of distributing the user connections among two or more web or application servers.  This method is very basic, in that two or more DNS entries are made for the web server or application, one for each server that will answer requests.  For example, myapplication.identityautomation.com may have two entries, one that points to server1.identityautomation.com and one that points to server2.identityautomation.com.  However, as simple as this may be, there are drawbacks to using this method to spread the load among the infrastructure.  DNS round robin might be more appropriately named DNS random robin, as DNS servers cannot tell if a server is available before they respond with the server name to the requestor, nor can they help in the case of cached DNS entries on a user’s computer.  DNS round robin will simply hand out server1 then server2, and then repeat this.  Hypothetically, the DNS server could hand out server1 several times in a row.  Furthermore, the session state will be opened with the server that DNS returns to the user, and in the event that something happens to the server, that conversation is broken and dropped.

An alternative to DNS round robin is to use a load balancing appliance that can load balance at different layers of the Open Systems Interconnect (OSI) model.  A load balancing appliance, such as a Citrix Netscaler MPX series device, uses algorithms that can be customized to first check to see if a server is available to service a request, and also determine how many connections that server already has.  Some of these devices can dig further into the application infrastructure to determine if the server has enough memory, cpu, etc. to service the request.  Load Balancing appliances can even use a geographic algorithm to determine which server is closer to the user and will be better suited to service the request.  These appliances make these determinations at an extremely high rate, and often handle 100,000 or more simultaneous requests.  They can also maintain session state, ensuring that access to the server or application is continuous and not dropped.  One Netscaler model, the MPX 17000, can handle a throughput speed of 18gbps, and handle 1.5 Million HTTP requests per second.

The main drawback to the load balancing appliances is that they are not free.  However, managing them is not difficult, and the performance that they offer can help keep the path for the user to access web servers and applications open and available.  This allows IT organizations to deliver complex applications to their user community without sacrificing performance, increasing availability, and without relying on randomization.

If you would like to learn more about about load balancing appliances or other Identity Automation offerings please contact us  today.

As technology evolves we are finding that the methods for application delivery are also evolving.  While there are a number of varying technologies such as application streaming and terminal services, the most exciting is the movement of applications into the cloud.  Moving applications and services to the cloud allows them to be consumed via a browser which completely changes the landscape in terms of end-user platform requirements, licensing management and so much more.

There are a number of significant market forces driving the move to the cloud.

The first factor is the growing number of web applications entering the market each day. Eight out of ten enterprise applications purchased or developed by organizations are based on web technologies. The reason is simple, web applications are centralized, scalable, and have little or no client-side dependencies.

The second market factor is what we call “decoupling”. When the desktop is decoupled from the operating system it gains the freedom to move from device to device. This factor is significant due to the fact there are many new products entering the sub-notebook market such as netbooks, thin clients, and smartphones. With the desktop decoupled, users are fee to access their desktop from a wide variety of devices.

Last, but not least, is a significant shift away from a client-centric computing model.  While many organizations work well in the traditional application delivery model, some organizations are looking for creative ways to store and deliver applications from a centralized location.

Over the past couple of years, Identity Automation has been working with products such as Stoneware’s webNetwork which allows organizations to build their own private cloud where users can access their web, Windows, and hosted applications from anywhere using any device whether they are at home, on the road, or inside the office.

These changes are exciting to see and are undoubtedly the foundations of what will be a lasting paradigm shift for application and desktop delivery into the future.

If you would like to learn more about cloud computing, the webNetwork product or other Identity Automation offerings please contact us  today.