IS4U blog

Seminar on RBAC & Oracle Identity Analytics

noreply@blogger.com (Bart) — Wed, 14 Apr 2010 07:30:00 +0000

On Wednesday May 5th 2010, IS4U will host a free seminar on RBAC (Role Based Access Control). The goal of this seminar is to provide an overview of the RBAC concept along with a product overview and demo of Oracle Identity Analytics (formerly Sun/VAAU Role Manager) by Antonio Mata Gomez of Oracle.
The agenda and a link to the registration page can be found below.

Agenda
09:00 - 09:30	Registration + Coffee
09:30 - 09:45	Welcome & Introduction
09:45 - 10:30	Part 1: Concept 'Role Based Access Control'
	Bart Cools
	IAM & RBAC Specialist
	IS4U
10:30 - 10:40	Q&A
10:40 - 11:50	Part 2: Oracle Identity Analytics + Demo
	Antonio Mata Gomez
	Domain Architect Security & IAM
	Oracle
11:50 - 12:00	Q&A
12:00 - 13:00	Lunch

Registration Links:

Dutch

English

Microsoft Forefront Identity Manager 2010 Seminar

noreply@blogger.com (Bart) — Mon, 25 Jan 2010 22:43:00 +0000

On January 20th, IS4U hosted a seminar on Microsoft's Forefront Identity Manager 2010. The main goal of the event was to provide an overview on the strategy of the Forefront product suite. Lars Svendson, Microsoft Sales Incubation, provided the attendees with this strategy update after Daniel Meyer, Microsoft Lead Identity and Access Management for EMEA, was forced to cancel due to a double booking.

A live demo was constructed and delivered by IS4U. The most significant features of the FIM 2010 product were shown and incorporated in everyday use cases. The recordings of this demo can be watched below or here.

In the next months, a secondary seminar on FIM 2010 will be organized by IS4U but no date has been picked yet, so be sure to check this blog or the seminars site for updates.

International Course on Computer Security and Cryptography 2009

noreply@blogger.com (Stefan) — Tue, 14 Jul 2009 08:34:00 +0000

Last week we had the possibility to attend the 12th edition of the International Cosic Course. This course is biyearly organised by the Cosic research group from KULeuven and the topics handle on Computer Security and Cryptography. The event was sponsored by L-Sec and took place at the Arenberg Castle.

The course itself was very interesting, somewhat mathematical but still educational. You can find the various topics on the Cosic Course site.

The 4-day course began with an introduction into cryptography and PKI. After this introduction the mathematics could start! The second day was a deep dive in various security concepts. The third & fourth day handled on the implementations of these concepts.

The conference dinner at The Faculty Club on Thursday was a nice way to socialise with the presenters.
All in all it was a full-packed week with a lot to learn.

Microsoft Security and Identity Lifecycle Platform

noreply@blogger.com (maarten) — Thu, 07 May 2009 12:46:00 +0000

Yesterday, Wednesday 6th of may, I went to a Microsoft Architects forum about the new IAM products that Microsoft has to offer. Geneva, the codename of the new claims based identity system from Microsoft that allows single sign-on access to systems that are active across several data centres. It consists of the Geneva server, which is to deal with issuing and exchanging claims and controlling user access, a cardspace client and the Geneva Framework, an extension of Microsoft's .Net Framework 3.5. The server itself supports active directory and web service standards like Security Assertion Markup Language 2.0 (SAML), WS-Federation and WS-Trust.
The other product that Microsoft offers, and i'm going to discuss in more detail, is FIM (formerly known as ILM2). FIM stands for ForeFront Identity Manager,and it fits inside the range of other ForeFront-suite products offered by Microsoft. Like most of the Microsoft products it offers perfect integration with other Microsoft products and a familiar look and feel to any Windows user. The interface is made in SharePoint,it must be said that the interface looks like the most intuitive one i've seen in an Identity Manager,something Microsoft is really good at. (although I didn't have a hands on experience yet, i am building a demo system as we speak and will come back to this in another blog item)also worth noting that FIM interacts with Outlook aswell. Let me illustrate the previous statement with an example: when a user is added to a group or role in the identity system and approval is required to obtain that. The approver will recieve a mail in outlook with integrated "approve/reject" option similar to the accept/decline option when you are invited for a meeting in Outlook. What's also intresting is that in FIM you now have a workflow editor (it was missing in the pervious lifecycle manager from Microsoft). it also has a broader range of supported protocols. What does concern me is that, while FIM seems to support alot of possible directories (AD,ADAM,'other LDAP',..) for provisioning; but, for example, it's still unclear to me what will happen if i try to provision to an LDAP installed on a Linux or UNIX device. But as previously stated i will test this out and share my experience on this blog!

In General I was pleasantly surprised about this product. Because of the fact that companies tend to already have a large selection of Microsoft products installed,especially for the ones that have SharePoint and other ForeFront products, will make it easier for the employees to navigate the interface. This is a powerfull asset, especially since this is only the second release (other Identity Managers are at their 8th or even 12th release) i do see alot of potential in this aslong as Microsoft doesnt forget that companies tend to have a more exotic selection of protocols and directories other then their own.
Important to note that this product is expected to be released for the beginning of 2010.

Benelux Tivoli User Group - DAY 2

noreply@blogger.com (Wim) — Tue, 21 Apr 2009 10:06:00 +0000

DAY 2
Because the user group rescheduled the agenda a bit, Peter Volckaert started with an introduction of IBM Tivoli Directory Integrator. I missed that presentation, but for the ones interested, following a link to the product site: http://www-01.ibm.com/software/tivoli/products/directory-integrator/.

And, finally, TCIEM development manager Michale Pintus and the product manager (grr … I can’t remember his name right now) gave the best of themselves explaining “Tivoli Security Information and Event Manager” in a nutshell. Until recently, companies were focusing on how to protect themselves against threads from the outside world. Because of a growing number of incidents (fraud, data loss…) initiated from inside the network, the demand for software addressing such issues became an urge.
TCIEM is comprised of two products:

1. TCIM or Tivoli Compliance Insight Manager: TCIM helps managing the billions of log file entries in a fast and efficient matter. Using an easy dashboard, one can easily gain an overview saying the environment is compliant with the security strategy in place. Using the same dashboard, an administrator can easily investigate a users’ activity, tracing security issues…

2. TSOM or Tivoli Security Operations Manager: Where TCIM is focusing on gathering information from log files, TSOM gathers real-time operational events coming from firewalls, ips-systems… TSOM also comes up with a dashboard showing security issues in real-time and serves as a launchpad to grave deeper into security issues.

Both the products are translating the complex log-data to an easily understood language, through the W7-methodology (Who, did What, When, Where, Where from, Where to and What). This data is made available through the dashboard, where further investigation is possible by clicking on the topic.

TCIM and TSOM are very closely tightened to each other; TSOM-data can easily be imported in TCIM where it is made available through the dashboard via the W7-methodology.

For those who know CARS (Common Auditing and Reporting System): on middle-term, this will be replaced by TCIEM.

And finally, we rounded up the second day with a presentation given by Guido Van Nuffelen about “Experiential Communications Management”. What it was all about? Well, Guido started his presentation by showing two short movie fragments: one of the legendary A-team, one of “Sex and the city”. After showing these, he raised a question asking what both the movies had in common: the number four. And, what he meant with that number: it seems that every good team is made up of four participants: an executer, a dreamer, a thinker, a decider. Any other combination will probably end-up in a mess: e.g. a team of 4 dreamers will bring up many ideas, but no one will be able to make it effectively working …

To summarize: the event was pretty informative, it gives the ability to get in touch with other products within the Tivoli-family and not less important … if the event is not planned during a vacation period … you do have the chance to get in contact with potential clients and IBM-people.

Benelux Tivoli User Group - DAY 1

noreply@blogger.com (Wim) — Tue, 21 Apr 2009 10:03:00 +0000

Last week (16th and 17th of april) the 2-day taking spring edition of the “Tivoli User Group Netherlands” (Tivoli User Group Nederland, www.tggn.nl) took place in the Antwerp conference center “Elzenveld”, sponsored by IS4U. Well, because TGGN has expanded to Belgian and Luxembourg since the start of 2009 the half-yearly meeting is now called “Benelux Tivoli User Group” … which was the most significant announcement of Chairman Derk Yntema during the welcome.

DAY 1
Before starting with the usual parallel sessions, as “Director of Strategy for IBM Tivoli Software Brand” Don O’Tool gave a nice presentation about the strategy IBM would follow concerning the Tivoli-branded products. Next to improving and extending the current Tivoli-product basis, “green”-thinking really starts to play a major role.

The next IBM-representative, Steve Anderson, came up with a relatively short presentation about services and support where the following items were the most important ones: the differences between a standard and premium support contract, the different possibilities available for requesting support (ESR, Chat,…). And last but not least, IBM-support people now do have the possibility to log in remotely to the customers site to examine a problem in real life which saves the customer of gathering the bunch of data needed when creating an ESR.

As mentioned earlier, the program was based on three tracks: “Green”, “Employee Life Cycle Management” and “Virtualization”. As an IS4U-employee, mainly involved in TIM/TAM-projects, I decided to attend the second track.

Peter Volckaert, technical Tivoli Security sales specialist, did open with a presentation about the new “Tivoli Security Policy Manager” (http://www-01.ibm.com/software/tivoli/products/security-policy-mgr/) offering “security as a service”. Using Policy Manager, dynamical fine-grained authorization towards applications and web services becomes easy manageable. In fact, the software supports the full policy lifecycle management: author, transform, enforce, monitor. To address the client’s needs, Policy manager comes in two offerings:

1. Security Policy Manager for Application Entitlements: Application owners can externalize authorization and audit from their application code.

2. Security Policy Manager for SOA: Application owners can externalize the security policy protecting their web services. Besides, this solution easily integrates with the WebSphere SOA-appliances (Datapower).
Policy Manager is completely based on open-standards making it easily working with third-party software supporting those standards.

Next, in two successive sessions, the asset management tool “Maximo” (http://www-01.ibm.com/software/tivoli/products/maximo-asset-mgmt/) was explained (the user group played a bit around with the agenda). In the earlier years (read: before the acquisition of IBM) MRO’s Maximo was only focusing on not IT-related operational asset management. As more and more assets are touched by technology MRO and IBM came together to address this issue, finally ending in IBM adding Maximo to the Tivoli portfolio. One session was mainly focusing on how to use Maximo within the scope of “Employee Lifecycle Management”, where the other session was more related on how to use it in “managing IT and non-IT Assets”:

1. Employee Lifecycle Management: e.g. streamline the process to follow when an new employee starts working at a company, make sure he/she gets his company car if appropriate, does the user needs a cell phone and order one if necessary, make sure the user does have the necessary accounts created, … Make sure a retiring user hands over all its assets the moment he/she leaves, …

2. Managing IT and non-IT assets: e.g. streamline the processes at a helpdesk, based on the answers given by a user; a solution is given without the intervention of a helpdesk employee.

One important question was: isn’t there a remarkable overlap with ITIM (Identity Manager); the answer was more are less fuzzy.

As a last topic on this first day, Michael Ravelingien gave a very clarifying demo on Encentuate’s single sign-on solution (also strong authentication) (http://www-01.ibm.com/software/tivoli/products/access-mgr-esso/), acquired by IBM somewhere in March 2008. It was pretty astonishing to see what the possibilities of that package are, remember … once up a time with Passlogix (but it could run as standalone application). According to a Gartner report, the support of the latter will continue for another two years (dated 14th of March 2008) while IBM is preparing a migration to Encentuate-based solutions. The tool has the possibility to work in a shared or private workspace within a Windows environment, where there is a performance profit when choosing the first option. The second option is security-wise a better option because of each user has its proper context. Furthermore, RF-badge authentication is supported out of the box, possibility to close user windows when switching from one user session to another … great tool as soon kiosk pc’s (e.g. hospitals) are appearing into the picture!

We ended up our first day with a dinner in the restaurant, sitting next to Steve Anderson … really a nice guy!

WebSEAL and OpenSSO; combining the best of both worlds

noreply@blogger.com (Robin) — Tue, 14 Apr 2009 15:06:00 +0000

WebSEAL enthousiasts will tell you that this reverse-proxy solution is of top quality and offers customers a great deal of flexibility. On the other hand, they would have to admit that it requires development effort to integrate it with other (stronger) authentication modules than the four authentication modules it ships with.

OpenSSO enthousiasts will tell you that the free OpenSSO product is of top quality and offers customers a great deal of flexibility and authentication modules out-of-the-box. On the other hand, they would have to admit that one has to build its own reverse-proxy solution with it.

If only there was a way to create a synergy between these two market leading products ... Enter the WebSEAL External Authentication Interface (EAI). This WebSEAL feature allows customers to delegate the authentication process to a third party component. Using OpenSSO as the External Authentication component is like a perfect match. OpenSSO supports a vast number of authentication modules right out-of-the-box like Active Directory, SAML, SecurID, InfoCard and even biometric systems, to name a few. Furthermore it can be deployed on a WebSphere application server and last but not least; it's free!

At IS4U, we put this into practice and wrote a whitepaper about it. It's freely accessible. Feel free to distribute our whitepaper to whom it may concern and provide us with feedback.

ESSoS 2009

noreply@blogger.com (Robin) — Mon, 09 Feb 2009 21:56:00 +0000

Last week I went to the International Symposium on Engineering Secure Software and System (ESSoS) 2009. I attended the tutorial on Risk Management in Practice – Model Based Security Risk Analysis with the CORAS Method. I must say, it turned out to be an enlightening day.

I think the main conclusion that can be drawn from the audience comments is twofold. On one hand, the CORAS method -with its diagrams- provides in a convenient manner to visualise risk and communicate with the customer about it. On the other hand, it lacks the formality (and to be more specific: the checklists) that other Risk Assessment methodologies offer. The best example of the latter was demonstrated during an interactive workshop in which there was (due to the cumulative security expertise in the room) an ad-hoc explosion of vulnerabilities, threat scenarios and unwanted incidents for a relatively simple scenario.

Doing some google searching on the pointers I got from people in the audience on other Risk Assessment approaches, I found this interesting page on the Europa portal (which does not mention the CORAS method ... yet) that allows you to compare different approaches to Risk Assessement.

If you would like to check out CORAS for yourself, the sourceforge page of the project should be an excellent place to get you started.

Identity Dialtone vs OpenID

noreply@blogger.com (Stefan) — Fri, 20 Jun 2008 07:17:00 +0000

Two recent posts of Mark Dixon about Identity Dialtone and eliminating gossipy cousin mabel metaphorically compare the Plain Old Telephone Service with Identity as a Service. Mark Dixon sais IaaS should follow the characteristics of POTS and that IaaS should be User-Centric.
I'm going a step further then Mark and I'm going to put the name OpenID on it an see if OpenID can match up with POTS and its characteristics.

Highly available :OpenID at ISPs will provide High availability
Highly reliable: The exisitng internet technologies (see further) are working reliable now, so will OpenID.
Highly standard: OpenID is an open, decentralized, free framework. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman).
Easily recognized: Everybody knows URLs. The OpenID-logo is easily recognizable.
Simple to use: Login to your Identity Provider once and start using your OpenID URL
Usable: It allows you to login easily. Just use your own URL.
Ubiqutous: Here we have a problem.
Critical to our daily activities: IaaS itself isn't critical yet, and this is the same for OpenID.
So commonplace we take it for granted: URLs are taken for granted.

The ISP could be a good replacement for the Telecom companies as it should only distribute the URLs. There is only one (pretty important) issue regarding this and that's privacy. Should your ISP be in control of all your Digital Identities?

Unity in multiple EU eIDs

noreply@blogger.com (Stefan) — Tue, 03 Jun 2008 08:33:00 +0000

On itprofessional.be [Dutch] I read an article about a European project to link the systems of all the member states of the EU. The result of this project will be that every citizin of a European country can use his/her eID for eGovernment solutions of a specific European country. The project is called Secure Identity Across Borders Linked and it's created by a consortium of 13 member states and Iceland.

Europe doens't want to force a unified system of eIDs but instead wants an extra layer for this to happen. The first thing that popped into my head was: Federation.

Federation can be the(and I think is the best) solution to this problem. This because it doesn't matter for the Service Provider how the authentication is done by the Identity Provider.
For example, if I would want to make use of and eGov application in the Netherlands, they could use Federation to find my Identity Provider. In my case this would be Belgium. The Netherlands redirects me to the login page of the Identity Provider Belgium. Here I can login with my eID. When the login is succesful I will be redirected back to the eGov application at the Netherlands with an assertion that I'm Stefan and I'm an authenticated Belgian :). Because of the trust relation between the member states of the EU (including Belgium and the Netherlands) the Netherlands will trust this assertion and threat me as an authenticated user.

If they choose for federation then only the eGov applications need to be aware of (some of the) federation protocols. Every member state can use it's own eID login mechanism for authentication and just redirect every other user to his corresponding country (identity provider).

Opensource internship

noreply@blogger.com (maarten) — Thu, 29 May 2008 13:35:00 +0000

About a month ago we, me and my friend and fellow student Wouter, started our internship at IS4U. I'll keep this introduction about us brief. I will just say that we arrived on a blitz from our Erasmus in Finland just the night before we started and we're graduating as Bachelors in Applied Informatics in June.
Our task was simple, we were to combine a single sign on (SSO) system, in our case it was CAS, together with a Virtual Directory: Penrose and MyVD. All of them open source software. We, being familiar with Linux, were somewhat used to working with open source software and had a good feeling of things to come.
What we experienced with the latter- myVD - was something different. Apart from its strange suggestive name it was a struggle and sometimes a real hassle to find the correct information and descriptions for implementing some specific needs for our project. On top of that it was also very unstable. It wasn't long before we deemed this piece of open source software inadequate for what we would need it. The myVD software was not up to par, although it has some potential it certainly lacks proper documentation. Trying to configure something that has very little documentation and a small community for support is a difficult thing.
Our second confrontation with a free virtual directory, called Penrose, was a lot better. It even came with a software program to configure the entire virtual directory with the aid of wizards, clicking buttons and right clicking some options. But as I feared our enthusiasm didn’t last very long. As soon as we were done configuring we spend about double that time troubleshooting our configuration because it flawed some small, but crucial, things. Not to mention that it has some serious issues with third party LDAP browsers.

To compare the two free products would be difficult.
MyVD was small, uncomplicated but lacked many options. Penrose was bigger, mature, more complicated; it looked well documented and came with a really nice development tool, Penrose studio. But here we also have to add that this product is far from ready to be implemented in a system that has to be stable and secure. It does offer more options but it’s still not finished. We will see what happens in later releases.
All in all our experience with these products, considering they are free, are not that bad and if we had a better background of the LDAP concept we would probably have been able to figure out what we did wrong faster. But apart from that it’s safe to conclude that these free Virtual Directories, especially Penrose, probably have a future, just not right away…

New CAPTCHA technology already obsolete?

noreply@blogger.com (Robin) — Wed, 28 May 2008 10:01:00 +0000

Discussing the latest CAPTCHA technology with a co-worker, I got the idea that CAPTCHA's are already an obsolete technology. It's successor ? Federation.

People still need to 'register' face-to-face with lots of potential identity providers. To name a few: a technician of the ISP needs to come to your home for installing an internet connection, you have to fill out some forms and hand over a copy of your identity card for opening a bank account and you have to present yourself to a clerk at city hall in order to receive an identity card. These forms of registration at Identity Providers don't require online forms, they require some sort of paper contract and a meeting in person. Some of them even hand out strong credentials in the process like tokens or smart cards.

I'm forseeing some troubles in achieving the following prerequisites but given ubiquitous trust in such identity providers and the privacy protection mechanisms enabled in federation protocol implementations, users will never have to fill out an online registration form again. Sites will no longer have to implement them or tinker with spam bot protection mechanisms, like CAPTCHA's, no more. We will have achieved the federation nirwana.

"Dynamic" SAML

noreply@blogger.com (Stefan) — Fri, 04 Apr 2008 08:21:00 +0000

In an article at http://www.computer.org Patrick Harding, Leif Johansson, and Nate Klingenstein talk about a way to reduce the time to deploy SAML-based projects.
Dynamic SAML reduces this time through the exchange of configuration information via the metadata:

Dynamic SAML takes advantage of security best practices and the exchange of configuration information to minimize the manual steps that administrators must currently perform to configure SAML connections securely. Although it isn’t yet possible to completely automate a decision of human trust, dynamic SAML can automate the underlying exchanges to make this decision fast, simple, and secure.

Dynamic SAML simplifies the trust establishment between two partners because it allows you to send your keys used to sign and validate SAML SSO messages with the metadata:

Dynamic SAML prescribes that the partner keys used to sign and validate SAML SSO messages are included in the SAML metadata document. Trust in these keys is derived from the established trust in the metadata document itself. In effect, dynamic SAML moves trust management from a runtime issue (applicable to each protocol message) to a configuration-time issue (applicable to the overall metadata document).

Dynamic SAML is also automating the metadata exchange so that partners can retrieve the metadata when needed.

Dynamic SAML handles about the Metadata exchange and how this can help to reduce deployment times. The time reduced from creating partner connections is really signifcant and will absolutely help reducing the overal time.

Source: Patrick Harding, Leif Johansson, and Nate Klingenstein, "Dynamic Security Assertion Markup Language: Simplifying Single Sign-On, " IEEE Security & Privacy, vol. 6, no. 2, March/April 2008, pp. 83-85.

Server Encryption key

noreply@blogger.com (Stefan) — Tue, 01 Apr 2008 14:15:00 +0000

When you setup a development and testing environment with Sun Identity Manager, you are going to get some problems with Server Encryption Keys when you try to import encrypted objects from one server instance into the other.

Server encryption keys are symmetric, triple-DES 168-bit keys. A server can have more then one key. Every encrypted object is prefixed by the ID of the encryption server that is used. So Identity Manager knows which Server Encryption Key to use.

For the testing and development environment it's usefull to have the same encryption keys so you can exchange your encrypted objects without much effort. You can use the Manage Encryption Key feature to create new encryption keys, export them and re-encrypt the objects with the current encryption key. This feature doesn't allow you to set the current encryption key to a specific imported encryption key. So it can't help us to get the same key on both the test and development installation.

For this problem we had to make a custom workflow that invoked a custom java class. The java class just gets and sets the current Server Encryption Key. The workflow displays the current key and a drop-down-box to pick your new Current Server Encryption Key. Once you imported the new Server Encryption Key (through import exchange file) and set it to the current key, you can re-encrypt all objects with this current key through the Manage Server Key feature.
With this solution you can have the same Server Encryption Key on all your Identity Manager instances.

Roles become cards ?

noreply@blogger.com (Robin) — Tue, 01 Apr 2008 08:28:00 +0000

I agree with Dave Kearns when he says

Good post today ("No User Context Decisions in your Enterprise?") from Pam Dingle ...

Situations #1 and #4 in Pam's post are theoretically resolved using a role based access control approach. This leads me to the following two questions:

Does role equal context ?
Do (virtual) cards become a convenient means for activating one's role ?

Answering my own questions, I would say "yes" for both situations.