Top
Welcome

Thank you for taking time to visit my blog. My name is Drew Olson and I hope to use this space to share ideas and generate conversation regarding identity and access management

This form does not yet contain any fields.
    Recent Postings
    Thursday
    Mar242011

    Data Breach #1: Eastern Michigan University

    DateThursday, March 24, 2011 at 11:14AM

    Every now and then I will be posting news and information regarding critical violations in identity & data protection.  The stories I will be posting will highlight examples, I believe, where a lack of an effective access management policy has contributed in part to the security breach.

    My goal here is to highlight how frequently these attacks occur, to show where some of these vulnerabilities exist, and how costly the consequences can be.  I do not aim to single out the failures of any one organization, but to stress the importance of identity management and access security. 

    Detroit News/March 11, 2011

    EMU probes security breach of student data

    Ypsilanti — Eastern Michigan University's Department of Public Safety is investigating a security breach involving the personal information of 45 students, EMU officials said.

    Names, birth dates, and Social Security numbers were improperly accessed by two former student employees who worked in offices where they had access to student records, EMU officials said.

    It was not immediately clear when the information was accessed or where it was sent. Public safety officials learned of the breach while investigating an unrelated matter in the last two weeks, said Walter Kraft, the university's vice president of communications.

    Officials did not reveal in what offices the students worked but, according to a statement on the university's website, they "used that access to improperly copy and, in a few instances, transmit personal information of students or their dependents."

    After the breach was discovered, "steps were immediately taken to identify the scope of the breach and remove the threat that further information could be improperly accessed" The student workers are no longer employed by the university. The students whose information was transmitted have been notified.

    "If you did not receive notification, then based on our current information, we do not believe your records were involved," university officials said.

    For information on identity theft, EMU students can go to http://www.emich.edu/securitybreach-march-2011/index.php.

    From The Detroit News: http://detnews.com/article/20110311/SCHOOLS/103110395/EMU-probes-security-breach-of-student-data#ixzz1HXpbhpWY

     

    For information on Tools4ever's identity & access management opportunities, visit http://www.tools4ever.com/solutions/

    AuthorDrew Olson | Comment2 Comments | Reference1 Reference |
    tagged , , , in ,
    Wednesday
    Mar232011

    Practical Scenario: PowerSchool Data Synchronization 

    DateWednesday, March 23, 2011 at 1:45PM

    School districts these days are facing serious challenges that require balancing increased technology demands and a suprisingly tech savvy user base, with reduced budgets and staff cuts. Recently though, I was approached by a school district that has decided a new user provisioning process could help them address these issues. 

    Their current situation:

    • 12,000+ students/staff with network accounts
    • PowerSchool Student Information Sytsem
    • Google Apps for students, Exchange 2007 for staff
    • 9 IT Staff (3 admins)
    • Scripts create Active Directory from provided data file, run usually at beginning an end of semesters
    • Sysadmin who wrote the scripts left district two years ago
    • User accounts also created in about 6 other systems including library, e-learning, etc.

    This scenario is not at all uncommon, but what amazed was the amount time this district spent each year managing user accounts.  The scripts really were only run about once a year but still involved manual updating due to a new naming convention that was implemented.   Because, no one could figure out the process the previous admin had scripted, so hours upon hours were spent making these updates.  Updating and removing users from the system, again, was a manual process and often neglected.  Active accounts remained on the network for past users and most updates were never made until someone was calling IT, unable to work. Needless to say, this process created a lot wasted time and resources and also opened up the door to some serious access issues.

    This district thought, and I agreed that a more automated approach to user management would really help them free up this time and close some current security holes.  With a school district, implementing an automated system, via a connector to PowerSchool for example, doesn't have to be difficult if proper planning and data is available.  Tools4ever's User Management Resource Administrator really makes this planning and data synchronization a much more manageable process.

    The solution proposed was the UMRA suite, and outlines a two-step phased approach as follows:

    Phase 1: creating a link with the PowerSchool system and Google Apps

    • Information on new student/employee, transfers and graduations/departures can be retrieved from their current status in PowerSchool, then compared with Active Directory and Google Apps
    • Accounts created or updated as required multiple times a day, with any changes to information or status updates performed consistently and timely. Notifications and information can be sent to IT, end users, or any other appropriate party
    • Phased departures; user accounts are disabled on the last day of service. The account with resources will be deleted after x number of days.

    Phase 2: linking third-party applications

    • Phased creation of automatic links with each application and provisioning process as appropriate depending on user role and system
    • The application manager is notified via e-mail of any changes

    To learn more about how a phased UMRA solution can benefit your organization, visit our website: www.tools4ever.com

     

    AuthorDrew Olson | CommentPost a Comment |
    tagged , , , , in
    Monday
    Mar212011

    Delegate: Managing a functional mailbox

    DateMonday, March 21, 2011 at 11:21AM

    In addition to the management of user accounts and distribution lists, administrators have to deal with functional mailboxes, which are also named resource mailboxes. In many cases, these mailboxes are not associated with a person, but rather with a particular purpose or facility, such as a meeting room, a project or a storage folder. Although a functional mailbox may seem to comprise of reasonably simple functionality, in actual practice their management can turn out to be quite complex.

    In Microsoft Exchange, mailboxes are always linked to an Active Directory account. This creates a unique situation, since a functional mailbox is not necessarily associated with a person. In Active Directory, this results in accounts with names like "MeetingHallRoom211" and "Suggestion box". These are accounts that one would rather not allow login rights to the network. However, these accounts should not be disabled, as this would render the mailbox inaccessible. A possible solution is to specify a non-existing computer in the Active Directory settings for these accounts to which users must log in. This ensures that the user account remains a ‘regular’ and active account. However, there will not be any possibilities to log in to a workstation or server.

    Besides the user account management that is required for a functional mailbox, user access to the mailbox and the privileges of these users must be managed. Security settings for the mailbox’s Active Directory account must be managed to provide users with access. A common setting, for instance, is "send-as". You can assign a user privileges to send mail on behalf of the mailbox. For IT administrators, however, this is not such a simple modification. You have to look up the security settings for the account and tick the ‘send-as’ option for another user. If a single functional mailbox is used by more than 10 users, this list will also become very long, which is not very practical.

    The UMRA solution by Tools4ever makes it possible to delegate management tasks for functional mailboxes to members of the organization. For instance, you can appoint various users who are allowed to create functional mailboxes and manage privileges. They will be offered a user interface with electronic forms, which simplify matters to a point where they only have to specify a name to create a mailbox. UMRA’s engine will check whether the name is still available and apply the relevant format so that it can be converted into a correct mailbox including all relevant Active Directory settings. They can subsequently use the same interface to generate an overview of all the existing functional mailboxes and to manage privileges. Users can be added or removed for each functional mailbox and individual settings such as ‘send-as’ can be assigned with consummate ease. Administrative tasks are directly carried out in Active Directory without the need for intervention by an IT administrator. However, the users who perform these tasks do not have privileges that allow direct access to Active Directory. They will only have the privileges that are necessary to perform the task at hand. The actual implementation is performed by UMRA via a secured delegation layer.


    For more information about how UMRA can simplify tasks visit our website: www.tools4ever.com

     

    AuthorDrew Olson | CommentPost a Comment |
    tagged , in ,
    Page 1 ... 3 4 5 6 7 Next 3 Entries »