IDM & IAM Discussions

IDM Webinar - Gary Oppel from Church & Dwight

2011-09-26T16:24:15Z

If any of you guys are interested, here is a link to the archived webinar hosted by Redmond Magazine last week. In this webinar, Garry Oppel from Church & Dwight discussed the challenges his organization faced with user management and how Tools4ever was able to assist with a soltution.

This webinar will be archived until December 22, 2011 and can be found here.

Identity Management Webinar - September 22, 2011. 11am PST

2011-08-22T18:43:23Z

View Details and Register Here

Polluted user account databases, endless calls to the helpdesk for password resets, forgotten log in credentials to applications and systems – do these situations sound familiar? Organizations today are faced with a myriad of identity and access management issues. From managing the user lifecycle to single sign-on and even password reset options. No organization is immune to the need to implement organized, effective and cost efficient solutions to combat these issues.

Join Gary Oppel as he discusses the challenges his company faced with managing thousands of user accounts and how they brought in solutions that would allow for quick implementation with fast ROI. You will learn how Dwight & Church implemented an identity management solution that:

Automated the user lifecycle, provided provisioning and organized the Active Directory environment

And how Dwight & Church plan to implement additional solutions to:

Reduce calls to the helpdesk for password related issues by implementing a password reset solution
Provide a single sign on solution to increase productivity and reduce calls to the helpdesk for access management issues

Summer Fun - From Helping the Helpdesk

2011-07-28T14:39:36Z

I came across a blog posting from a few years back at the Helping the Helpdesk blog and I thought it was worth reposting. Little has changed and we are still inundated with calls from school districts struggling to find a way to manage users accounts before the start of the new year. The approach described below follows Tools4ever's method for synchronizing student information systems such as PowerSchool, Infinite Campus, and Aeries with your Active Directory and other resources like Google Apps, Live@edu, Destiny and so on. I hope you find the post helpful!

Summer Fun

The summer time means vacations, no school, hitting the beach, and all kinds of great fun. Unless of course, you are a system administrator for a school district. The summer then means you are squeezing in every major project that you can before school starts up again in August or September, depending on the region in which you reside. As such, the last thing you have time for is dealing with student active directory accounts.

Yet, you will have an influx of new students. And depending on your organizational unit structure, you may need to roll over these accounts into new OU’s based on graduation year or grade level. Maybe these grad year or grade level OU’s are within a higher level OU for each school in the district. Perhaps each grad year or grade level has a specific share somewhere, on which the user’s home directories must reside. These home directories need to move with the student throughout his or her career in the district.Then, of course, there are group memberships, which most likely created within the same design as the OU structure.

Manually provisioning all of this can take weeks. Scripting these tasks in visual basic is slow and tedious as well. With User Management Resource Administrator’s Automation module, you can streamline these tasks, and have them occur on a scheduled basis. Here is a high level overview of such a process:

UMRA queries the SIS system, or csv export of student information
This data is compared to AD
New accounts are created based upon existence in the SIS system and not AD
Updates to accounts occur based upon existence of the user in the SIS and AD
Account disables are based upon either an inactive flag in the SIS, or the lack of the account existing in the SIS when it exists in AD

Processes for group and home directory provisioning can be based up a graduation year or grade level, even if this information is not necessarily provided (to be detailed in a coming post). Automation can be scheduled nightly, or more or less frequently as needed. All actions against AD accounts and their resources are logged for auditing and troubleshooting purposes. It can even generate email alerts for you.

You are now free to (not) enjoy your summer break doing other tasks.

You’re welcome. ;)

For more information, please visit Tools4ever

Data Breach #3: Patient Records Stolen at Univ. of Maryland Medical Center

2011-07-15T15:36:00Z

This breach outlines the dire consequences that can result when critical and extremely private personal data can be accessed by the wrong people. In this case, employees who had open access to not only confidential patient data, but also billing information, were able to steal account info and rob elderly and vulnerable victims.

The hospital contends that this was the result of a crime and not due to hospital procedures and this may be the case. But health care organizations are going to have to change policies quick to restrict access to this type of information, or these type of stories will only increase with dire results for patients and the hospital alike.

I contend that organizations should perform a review of their current identity management and protection policies to see how easy and how many employees could potentially compromise data, such as happened here at the University of Maryland Medical Center. I believe that an identity management solution that is well planned and implemented can allow health care organizations to restrict and monitor access to critical systems containing confidential information. In my own consulting work, I have heard from many security officers admissions of improper access; that too many people can easily access patient data. An organization without an identity management policy is giving a huge advantage to these criminals.

The story below is from the Baltimore Sun, July 14. http://www.baltimoresun.com/health/bs-md-identity-theft-20110714,0,3173292.story

For information on Tools4ever identity management solutions and how they can benefit any health care organization, please click here.

Source: Hospital employee and three others accused of stealing patients' identities (http://www.baltimoresun.com/health/bs-md-identity-theft-20110714,0,3173292.story) by Meredith Cohn

Benefits of IDM in Higher Ed - Harrison College Case Study

2011-07-12T17:43:28Z

Often, when we begin working on identity management projects with an educational institution, we really are starting from scratch. The organization typically has been relying on a series of manual processes, scripts, and utilities which can be quite limiting in today's modern environment. Below is a summary and actual case study that was written by Harrison College in Indianapolis, IN detailing why they had to move forward with IDM and their results working with Tools4ever.

Problem
With over 6,000 students using one student Active Directory account, there was a huge opportunity to streamline the management of individual accounts as well as deploying a self service password reset solution. Harrison only had a single generic student Active Directory account used by all students. Each student was provided a thumb drive and would log into accounts using the same credentials and would have to save work on their local drive. Additionally, each student was responsible for creating their own email accounts.

Solution
Automated solution for managing student user accounts and self-service password reset.

Connectors
Google Apps
CampusVue

Results
Increased efficiency in managing user accounts and self service password reset management.

Considerations

Before Harrison could implement an identity and access management solution they had to ensure the solution they chose met the following requirements:

Was cost effective;
Experience with Google Apps API and provisioning accounts;
Self-service tools that can run 24/7;
Could integrate easily with CampusVue.

Being able to integrate fully with Google Apps was critical because the project to bring on an identity management solution also coincided with a project to have each student have a Google account. This would give them access to an email and Google Apps account. Managing the users’ lifecycle for this endeavor called for a robust user management tool.

Solutions

With over 6,000 students and 900 staff, Harrison College looked to Tools4ever for a solution to help them with their identity and access management challenge. Tools4ever’s User Management Resource Administrator (UMRA) proved to be the best option in managing the users’ lifecycle and provisioning into the applications and systems the students needed. Additionally, there was a need for Harrison to implement a self-service password reset tool that could also work seamlessly with user accounts.

Jason Stele, Assistant Director of Information Services, described their need as, “We could have never brought on student email or student Active Directory accounts without Tools4ever. They helped enable us to effectively manage large numbers of individual user accounts with minimal staff resources by leveraging UMRA.”

Around the clock support

Because Harrison College is spread out among 13 campuses and offers an online program they serve students from any given time between 7:00 AM and 10:00 PM. But since most support staff members only work until 5:00 PM it was important that they implement a solution with around the clock support. By also implementing Tools4ever’s Self Service Password Reset Management (SSRPM) solution Harrison College has placed the ownership of password resets into the hands of the student. This has not only allowed password resets to happen after hours, but has also greatly reduced calls coming in during standard work hours.

Improved Efficiency

According to Stele, one of the greatest advantages of deploying UMRA has been a significant resource reduction in managing the users’ accounts. Together, UMRA and SSRPM have enabled Harrison College to utilize connectivity with Google Apps as well as CampusVue to roll out efficient tools to the student population. UMRA has also laid the groundwork for the implementation of additional technologies that will allow both the staff and students to have fast and secure access to the tools and systems they need.

For more information on tools4ever, please visit our site.

Challenge of cloud based email - Google Apps - Live@edu/Office 365

2011-05-27T15:49:33Z

I have written previously about the proliferation of cloud based email solutions such as Google Apps and Microsoft's Live@edu, but the continuous growth in the public and private sectors warrants discussion of some of the challenges with these new systems. As I mentioned before, there are tremendous benefits to these systems, especially for school districts and universities, but they do create a new level of provisioning and password management to an organization's current identity management process.

These systems are not natively integrated to an organization's directory service (Active Directory, eDirectory, Open Directory) which means an additional process to the onboarding and deprovisioning policies. Additionally, because passwords are not synchronized with Active Directory, an even greater burden is placed on IT and the help desk for password resets for these accounts. Furthermore, anyone currently using either of the mentioned hosted email solutions will know that the native management tools such as Google Sync or Windows Live Admin Center are not staying current with the fast changing feature set. For example, managing dynamic distribution groups is not easily done and this is a huge disservice to Live@edu users. In Google Apps, users are now taking advantage of the new container structure but finding managing these OUs and groups with Google Sync to be an incredibly frustrating experience.

Fortunately, these organizations can partner with a company like Tools4ever who has the experience to solve these challenges and to help strengthen the business case for implementing new cloud based email systems. Tools4ever's User Management Resource Administrator (UMRA) can provide an all encompassing provisioning process that can automatically pull data from a student information system and create an Active Directory account and an account in Live@edu or Google Apps. As the student progresses and moves from different classes and grades throughout the district, UMRA will automatically keep their account up to date. UMRA can also automatically manage class email lists using data in the SIS and provide self service management options to end users, such as teachers, to easily add and remove users from email groups.

Tools4ever can also provide password management options that can link between your email and directory service. Their Password Synchronization Manager will keep passwords synchronized between each account and the Self Service Reset Password Management software will provide an end user system for resets using a challenge and response mechanism.

For more information on how Tools4ever can help keep your cloud email implementation from costing a fortune, visit our website.

Data Breach #2: Massachusetts Healthcare System

2011-05-17T04:00:23Z

This article recently published in the Worcester Telegram & Gazette highlights the dangers of shared user accounts, open kiosks and weak authentication protocols.

Computer access breach exposed UMass Memorial pay stub data

By Lee Hammel TELEGRAM & GAZETTE STAFF

WORCESTER — Personal pay stub information of some UMass Memorial Healthcare employees was subject to unauthorized access for five months.

The organization learned March 10 that at 10 kiosks where employees could view their pay stub information, and also at shared workstations, subsequent users were able to access the information of previous users, according to Rob Brogna, UMass Memorial spokesman. Upon confirming the problem, UMass Memorial removed the kiosks from use, he said.

The day after the breach was discovered, UMass Memorial applied a systemwide software change to disable the pertinent setting on the organization's HRConnect application, he said. On March 16, the direct deposit bank account number was redacted from the information on HRConnect, and subsequently the 10 kiosks were returned to the campuses for employee use, Mr. Brogna said.

The personal information potentially exposed included name, bank name, bank transit number and bank account number. The breach did not involve employee Social Security numbers or medical record or patient information, he said.

Only UMass Memorial employees who accessed HRConnect using the kiosks or a shared workstation between Oct, 7 and March 11 are potentially affected by the breach, Mr. Brogna said. What portion of the 13,500 employees of the health care system was affected was not available last night.

UMass Memorial has no reason to believe that any of the personal information on HRConnect has been misused, according to Mr. Brogna. Nevertheless, UMass Memorial is notifying all potentially affected employees of the incident.

The organization is offering potentially affected employees reimbursement of the costs to institute a security freeze with the three national credit reporting agencies, Mr. Brogna said, and is also offering one year of free credit monitoring through TransUnion Interactive.

“UMass Memorial deeply regrets this incident,” Mr. Brogna said, and “is continually evaluating and modifying its practices to enhance the security and privacy of all confidential and sensitive information entrusted to it.”

http://www.telegram.com/article/20110412/NEWS/110419891/1116

As of late, Tools4ever has been implementing more solutions on the healthcare market and I wanted to take a look at our clients and ascertain if there are common issues that this market sector needs to address. Not surprisingly, the issue above was a common themes with a number of these accounts.

Shared User Accounts

One of the top reasons for implementing Identity Management in healthcare is the need to eliminate the “shared” accounts. Quite frequently, all the nurses on a floor will have one or more shared computers. Everyone utilizes the machine utilizing a common, generic account. The issue becomes security and privacy. It is impossible to restrict access or determine who is doing what and when.

Identity management solves this issue typically by linking an HR application to the Active Directory and creating individual logon accounts. Fast user switching, available in Vista and 7 makes this a quick process for busy healthcare professionals. Further, the Tools4ever Single Sign On product allows for credentials of users to be provided automatically fro authorized applications when utilizing fast user switching.

For more information, please visit: http://www.tools4ever.com/products/user-management-resource-administrator/

Source: Computer access breach exposed UMass Memorial pay stub data (http://www.telegram.com/article/20110412/NEWS/110419891/1116) by Lee Hammel

Why you Should Use Employee Numbers in Active Directory

2011-05-02T17:51:11Z

Organizations that are in the process of cleaning up their Active Directory or linking other systems such as face libraries, print badges etc., are often confronted with the problem that the employee ID number is not listed consistently in the Active Directory. In many cases this is a show-stopper; it prevents them from recognizing Active Directory as the central account database. This will result in problems once they start linking all the identities across the organization.

The situation:

You have an HRM system with 1,000 employee names, which may include double records for service contracts, functions, departments and managers. You also have an Active Directory containing 2,300 accounts, in which over the years various different IT agents have manually created user accounts based on their personal interpretation of naming standards. There is a need to clean up the Active Directory or to use it as the central account database.

The challenge:

First step, you could determine which of the 2,300 accounts have been assigned to employees who are no longer in service. This means that you must link employees in the HRM system to accounts in the Active Directory. If the employee ID or citizen service number is not listed in the Active Directory, you will not need a unique key to set up this link. Manually entering employee IDs or the citizen service numbers for all Active Directory accounts is a time-consuming task.

The solution:

Tools4ever’s UMRA solution and consultancy services will allow you to align the HRM system and Active Directory in the space of a single day. The employee ID numbers are added to the Active Directory in the shape of attributes that are invisible to end users. We provide support for any combination of naming convention (100+) ever used to create accounts, including any subsequent requests for partner names or naming conventions, and to align these with the HRM system. Experience shows that we are always able to achieve an alignment level of 85-90%, which leaves only a small list of accounts that will have to be processed manually.

Would you like more information? Visit our website: User Provisioning from the HRM system.

Tell me about this user: Reporting, Auditing, and Compliance

2011-04-29T00:19:45Z

I haven't posted in a few weeks but after a few recent meetings, I felt it would be a good idea to start a discussion on user auditing. Most organizations have some form of user directory or white pages where one can find another user's department, contact information and perhaps some other basic information. However, the clients I met with were struggling to display more detailed information regarding an individual's group memberships, access permissions, and folder permissions.

This type of information may be more detailed than most user's would need to regularly see, but it can be very important for auditing, compliancy and risk management standards. How easy is it for you to locate someone's folder permissions or even more, to see how this might have changed over time? Understanding this information will give you much better control over your IT security policy, but will also give you an upper hand when it comes to meeting regulations covered under SOX, HIPAA, etc.

With these changes and especially in this era of increased network attack and data breaches, it is crucial for an organization to report and follow on:

a list of requests and changes in the total time period x.
an overview of the group membership (and per user).
an overview of NTFS permissions (and per user).
an overview of the accounts that have not logged more than 30 days.
an overview of the disabled or blocked accounts.
the number of requests for a particular function or for a particular department.
the number of outstanding requests.
the average handling period

A solution such as Tools4ever's User Management Resource Administrator (UMRA) can easily assist you in these areas. UMRA automatically records management operations and changes to accounts and permissions. This detailed data is then readily available for later audit and reporting purposes. This type of solution can also provide you export functionality; reports that can be generated in a variety of different formats. This means that companies, at any moment, have insight into the processes involved and whether that they comply with security policies and regulations governing and law.

For more information, please visit: http://www.tools4ever.com/solutions/audit-compliance/

Expired accounts: ‘Please help, I can no longer log in — what now?’

2011-04-13T15:59:26Z

System administrators and helpdesk agents will be familiar with the problem; temporary hires or external employees are assigned a user account with an expiration date. Meanwhile, their contract is renewed without the IT department being notified, so in the morning you find the users at your desk complaining about being unable to work.

Solution 1: A link with the HRM system

A structural solution is to link your Active Directory to the HRM system (e.g. PeopleSoft, SAP HCM, Lawson). A ‘connector’ will automatically detect contracts that are about to expire and determine exactly when an account must be blocked. Any modifications in the HRM system will also be automatically implemented by the connector in Active Directory enabling employees to continue working as usual. This connector can also operate on the basis of a phased approach. For instance, you can configure a ‘grace period’ that will allow users to log in until 2 days after their contract has expired. After this grace period, the user account will be quarantined for a period 90 days, after which it will be completely erased, including the data and mailbox.

Solution 2: Self-service based on e-forms

If temporary hires or external employees are not registered in the HRM system, this can be solved by having the relevant manager handle requests for user accounts. A ‘web shop’ with electronic forms (e-forms) is made available, so that the manager can request user accounts for these employees. This can be configured so that requests are carried out immediately or must first be approved by the IT department. The web shop features will also allow managers to perform management tasks for the user accounts that they have requested, such as resetting passwords and unlocking, blocking, releasing or renewing accounts. This means temporary employees will no longer have to call in the help of IT if their contract is renewed. Everything can be handled directly by their manager.

Solution 3: Automatic reporting and notifications

It is now possible to combine solution 3 with the solutions discussed above. UMRA by Tools4Ever makes it possible to convert the expiration date in Active Directory into a legible date with consummate ease. With solution 2, managers still run the risk of forgetting to renew contracts for temporary hires or external employees. To prevent this, it is possible to monitor accounts that are about to expire in, say, 2 weeks, on a daily basis. Notifications will automatically be sent to the account itself and to the person who requested the account. This means the organisation is always kept up-to-date with regard to the accounts that threaten to expire. This can prevent a lot of frustration.

Want to learn more about how UMRA can streamline your identity management process, visit our website: www.tools4ever.com