Collecting Metrics from your Identity Management System? Here are few to think about and why…

Posted on December 30, 2011 by john.molinaro@yahoo.com

Are you tracking metrics from our IDAM implementation…..?  Here are a few that may help identify areas for improvement.

Within the IT security initiatives of Identity and Access Management, systems and projects are typically considered high value.  Addressing corporate risk, providing ROI, and meeting requirements of compliance; but not uncommonly have challenges with deployment.  Not uncommonly these challenges have root causes from having to reconcile the very people and process breakdowns IAM automation is meant to solve.   Dirty data,  inconsistency of process conformance, too many people involved in authorizations, lack of documentation, lack of training, lack of change management, which all lead to a new trend and call for the need of Identity Governance, with performance metrics, and continuous metrics.

Identity governance involves defining and executing the identity related business processes that are most critical to the organization. For example, a systems engineer needs root / systems super user access to the server hosting an ERP system.  Who needs to approve that request? Who is the one who actually takes the action, who grants that access? How does that process get documented? Where is it stored, and for how long is the information saved?  What information should be continually be monitored?

Getting an IT governance process started can be a challenge, maturing that governance process is where the return on investment is at.   But how to mature your Identify Governance takes information.   Information you can track, trend and monitor to identify effectiveness, trends to show impact or opportunity, and which identity-related processes are most in need of attention.   Below I have collected some of the more fundamental data elements I have seen to offer insight and comprise a fairly solid system of monitoring.

ü  Number of uncorrelated or “orphaned” accounts. These are accounts that have no owner, and occur most frequently when a change happens, such as a promotion or a termination, and that person’s accounts were not transitioned, or de-provisioned properly. Defining what too many of these accounts can be a challenge, but consider each one of these accounts represent a risk.  They are open, live accounts that can be easily hijacked, or simply used for un-authorized purpose. These may be thought to be not de-provisioned or even temporary accounts open for hack, hijack, or inappropriate reassignment.  It’s like leaving your keys in the car when you go on with your daily business.   How important are orphan accounts?  Ask Intel, their famous case resulted in an estimated $1 Billion in theft of intellectual property.

ü  Number of new accounts provisioned. This number should closely follow the number of new users/employees/or a simple calculation.  For instance (new employees + new contractors + new transfers) – (terminations + resignations + transfers out) = new accounts provisioned. An effective IAM program should always account for any new user who needs to be granted access to systems and applications. If a discrepancy or a significant lag between the number of provisioned accounts and the total number of “new” for a given period, could be an indication inefficient processes, poor identity data, or a deficient tracking of identify data.  Most likely this would require detailing and resolution during the next audit.    Additionally this is an area for enhancement, and opportunity for possible ROI to the business.

ü  Password reset count per month.  This is normally a metric justification of investment in automation of provisioning.   It’s a key metric to continue to monitor in both the use of automated methods of password resets and any administrative intervention to reset passwords.   This can be the help desk calls, or the request to reset via automated means.  This metric is a good indicator of password policy effectiveness, password policy change management and user acceptance, and in general this metric should be something that trends downward over a period of time, allowing for peaks and valleys for events like enforced resets.   Monitoring this metric will provide a number of insights to help closely align password and identify governance processes and effectiveness of the tools and automation processes in place to service the business users, and impact of the those tools and automated processes.

 

ü  Time for Identify (Insert/update/delete) of identities.   This is a group of metrics that are huge for tracking and understanding of risk, effectiveness of governance processes, effectiveness of automated processes, and service levels you should be delivering to the business.  It also helps to unveil deficient business process that needs review, and adjustment.   Tracking how long a new user waits to get access is key for Service levels, it has implicit ramifications to productivity, and ROI opportunities typically used to justify identity automation efforts.  But often times gaps represent short comings of process in the business side, data, or missed assumptions in process or data.   Additionally what assumptions are built into the approval processes (automated or not).  This is assumption is something commonly in Identity governance or any workflow application typically is missed in estimation and built in as a dependency to the systems and processes.   These groups of metrics prove to monitor risk, days or hours of access to systems that are potentially open to misuse, days or hours of missed productivity.  Both lead to rationalization of the governance processes against the business realities of dependent process, data, process bottlenecks, and assumptions about authorizations and time for manual / people intervention.

 

ü  Number of Exceptions:  This is another group and/or multi attribute type of metric.   First the number of reconciliation exceptions.  This is typically that first cut at data issues, either from entry, manual process, or something breaking the rules like a backdoor account creation capability or other.   Tracking exceptions for reconciliation should trend or achieve zero over a relative short time once and will provide the key proof that you’re IT Identity Governance is in place, and being confirmed.   Additionally to reconciliation the access re-certification exceptions are also important.  New applications or lifecycle expansion to include additional applications over time may cause this number to reflect issues with specific groups of users and systems.  But again over time this metric should trend toward zero.  Not trending toward zero will identify identity data quality issues or of process problems.  Either way review of the process, automation and possible backdoors and any manual processes not conforming to Identity Governance need attention or at very least need documentation proper notations.

ü  Number of credentials:  Here is a metric I would recommend that collecting more information on and maintaining or collecting metrics of could be of benefit, as without a doubt future needs will ask for performing some type cross analysis on this data and having the fine levels of granularity of data will be important.  As a key metric that drives Single Sign On “SSO” what are the unique accounts, users have?  What is the average number of user accounts for all users, for users within certain organizations/teams, and what are the unique accounts/ averages for certain levels of employee.   These metrics enables companies to review why the numbers for certain groups are higher (identify systems for tighter integration and use or leverage of Identity Management tools and services which are created for the enterprise.) Additionally where some opportunity exists for removing non-compliant systems access management with systems that will conform to Identity Governance compliant methods.  My thoughts on minimum cross analysis is:

  • Unique Credentials Per User and  for:
    • Average for all employees
    • Average for all contractors
    • Average for all employee(s) per job classification
    • Average for all employees(s) per cost classification or department
    • Average for non-Employee/Contractor type
    • Average for Mobile users
    • Mean, and Range also per (employee, contractor, job class, department, etc.)

ü  Violations: This might be a difficult item to monitor but can also be fairly straight forward if your organization has role management in place.  Separation of Duty is now a fundamental aspect of Identity Management, and although I still see several companies struggle to justify implementing user group role management, and create governance for separation of duty it is a requirement that most companies cannot do without.  Monitoring violations to separation of duty policies is key, and given goal of Identity Governance, and the Identity programs need to be carefully be monitored and incrementally matured.  Let’s take a case scenario, of a manager who approves raises can also trigger an event to print checks.  This very deficiency can create legal ramifications, not only because of possible fraud, and theft, but for the company and it’s officers your promise of compliance, your possible damage to brand value in a disclosure event, and so on makes this an essential metric to track, trend, examine and re-examine to mature and make sure you continue to also mature your SOD policies for.

ü  Time and Cost of Remediation:   Initially this will be a challenge but once the knowledge of the data, and process is understood the orchestration and possible automation and reporting of standards for remediation can be structured and have normal governance reporting and prove as another and on-going ROI often not measured and forecasted at benefit to the Identify Governance and Management program.

It is often hard to understand the scope and impact of these kinds of people and process breakdowns.  Additionally it’s difficult to understand business impact and what the ROI opportunity can be.  The importance of monitoring key items from your identity management programs are more than about doing justifications with well defined items for return of addition investment but this will certainly help with the incremental program, it’s maturation, an investment in maintenance and take a corporate Identity Management Program/implementation  from an essential compliance only reporting tool  toward a governance program providing value and continued insights to impact, risk, and benefit.

Posted in CIO Services, Governance, IDAM, Oracle Fusion Applications, Security, Uncategorized | Tagged , , , , , , , , | Leave a comment

Announced Fusion Applications… NOW what…?

Posted on October 19, 2011 by john.molinaro@yahoo.com

Now that Fusion Applications is available for general release, and Larry/ Oracle have delivered on the promised of the past 5 years of Oracle Fusion Applications…..

So should users migrate to Fusion or stick with their existing platforms? 

Oracle is not pushing this down anyone’s throat but they are touting the benefits and providing the case studies and sharing with CIO’s the ROI/CB, associated with Fusin Applications.   The reality is Oracle has provided  that adoption, wait, or something inbetween can coexist as well.

Accordingly, Oracle has developed coexistence processes that extend across all major product lines, including Oracle’s Siebel CRM, Oracle’s PeopleSoft, Oracle’s JD Edwards, PeopleSoft, Oracle’s JD Edwards and the Oracle E-Business Suite.

“Oracle Fusion Application coexistence means organizations can  incrementally adopt without the expense of a complete overhaul.

Oracle’s Applications Unlimited initiative allows customers to remain on existing apps like PeopleSoft, Oracle EBS or Siebel CRM, or else move over to Fusion. Part of the strategy is to use Fusion as a gateway to cloud-based enterprise apps.  My recommendations is that this adoption needs to start but need not be intrusive to exisiting IT projects and business systems.   Most companies have a number of their own applications which represent IP and differenciation that they perform which have smaller user communities than say EBS or CRM, don’t have the financial implicaitons/time critical nature as a EBS envionment which are not in Java or Oracle FMW SOA tools.  

Start the Adoption process with these lower risk, but clearly benefitial systems which can help with the learning curve of the new platform, as well as benefit from the simplified integraiton, as well as tools, technologies, and serve as a reference model for the incremental EBS / applications adoption to the Fusion Platform.

Posted in Cloud, Java, Oracle Fusion Applications, SOA | Tagged | Leave a comment

IT Governance (Can it work?)

Posted on October 6, 2011 by john.molinaro@yahoo.com

CIOs continue to face many challenges;  they must improve ROI, increase service levels, and enhance security-all while maintaining flat budgets and headcount, and remaining nimble enough to delivery new informaiotn and services in record times to support revenue and helping the business gain any competitive edge imaginable.

How can CIOs meet these objectives while still living with current restrictions? By fundamentally changing how the IT department is run by implementing IT governance. It’s a buzzword you’ll hear a lot about this year. Here’s why this new concept could be exactly what you’ve been looking for to improve processes without increased funds.

Defining IT governance

At its most basic level, IT governance is the set of policies, processes, and procedures that support everything else that IT does. Some disciplines that make up IT governance are change management, problem management, release management, availability management, and service-level management.

IT governance isn’t sexy like the latest technology innovation, and no one is selling IT governance with hundred-million-dollar marketing budgets. Yet IT governance is at least as important as any piece of infrastructure or any application–perhaps more so in an environment where the CIO has to do more with less.

The need for IT governance

Thanks to enterprise applications, e-business, and Y2K, IT organisations were in constant fire-fighting mode from 1995 through 2000. The emphasis was on speed of implementation–even if this meant cutting corners or compromising on quality. This resulted in problems such as missed project deadlines, cost overruns, unanticipated downtime, and security lapses.  Not to mention innovation was done in silo’s and enterprises found themselves with multiple systems doing simular things differently.  

IT governance is meant to address and correct these bad habits. It’s based on high-quality, well-defined, and repeatable processes. At a more detailed level, governance outlines policies, highlights procedures, requires meticulous documentation, and establishes a plan for constant improvement.

Models in place

There are several well-established IT governance models. The most popular is the IT Infrastructure Library (ITIL), which was formulated by the Central Computing and Telecommunications Agency (CCTA) for the UK government and is now owned by the Office of Government Commerce (OGC). ITIL has widespread support in Europe, and has rapidly gained popularity in North America. ITIL defines a set of best practices in 24 disciplines.

Another established IT governance framework is the Control Objectives for Information and Related Technology (CobiT). CobiT was created to align IT resources and processes with business objectives, quality standards, monetary controls, and security needs. CobiT is composed of four domains:

  • Planning and organisation
  • Acquisition and implementation
  • Delivery and support
  • Monitoring

Each of these domains has a series of subdomains that fill in the details.

The ROI can be high

Many organisations have embraced ITIL and CobiT and have achieved measurable success. I’ve read about Proctor & Gamble adopted the ITIL model in the late 90′s and claims that through ITIL it has saved more than US$500 million over four years.

A study of the savings within Procter & Gamble’s finance and accounting IT departments showed a six percent to eight percent cut in operating costs and a reduction in technology staff of between 15 percent and 20 percent.

When IT processes are done by #000 people consistently across one company, service management can deliver tremendous savings.  Not just the financial aspects but think of the soft benefits.  You have 3000 employees almost half might interact with some customer in some way.   If you can ensure that whatever process am employee must engage with a customer on that it is consistent, predictable, controlled, and measured. 

CobiT has its share of success stories as well. The state of Kansas uses CobiT standards as part of its virtual government strategy to keep costs low and deliver consistent service to its customers and constituents. Dell Computer includes CobiT best practices as part of its Control Self Assessment (CSA) corporate policy, a set of auditing checks and balances for it’s quality control program.

Establishing IT governance

These impressive results from well-respected organisations are clear indicators that IT governance can pay off. But sometimes starting can be the toughest step to take. Here are three tips on proceeding with IT governance:

  • Focus on the biggest weaknesses.Implementing the entire ITIL or CobiT model would be overwhelming for any IT shop. Instead, start with the biggest pain point. For example, if your IT organisation is having trouble supporting a large distributed organisation, do what Ontario did and execute the ITIL help-desk processes. Work through the training, organizational changes, and implementation challenges in one area as a learning experience, then move on to other problem areas. Remember to benchmark the current environment before you begin the IT governance effort so you can measure progress over time. 
  • Get buy-in from executive management and the IT staff.Although IT governance is designed to improve efficiency and business responsiveness, it does involve some formal process changes that may introduce formality and friction in the organisation. Senior executives must lead the transition by rallying the company and communicating that any short-term changes are an investment for long-term benefits for the entire organisation. The CIO must get the troops behind the effort through compensation changes, where IT bonuses are based on overall metric improvements and budget reductions. Once IT governance standards are in place, experts say you can expect to see positive results in six months.
  • Plan for Change Management -  Reward adaption, publicize impact, and make sure you find a way to measure success.  Both for your sponsor and for the public/company participants communication.
  • Get Help:-  Getting a mentor or help not need be overwhelming.   Engage a professional to support and assist in making best practice recommendations and applying them to your own unique priority problems.  

Start now on the path to big rewards

CIOs can’t continue to try to maintain the status quo when they are on the hook to improve results while decreasing staff and overall spending.

IT governance standards such as ITIL and CobiT obviously can help lower costs while improving service. Proctor & Gamble, the government of Ontario, the state of Kansas, and Dell Computer, and others have seen measurable improvements by establishing IT governance. That’s why CIOs should start small and grow, get corporate and IT buy-in, and find service partners to start the governance process.  Make best practices their own practices and adjusted for their organizational and own processes.

Posted in CIO Services, Governance, IDAM, Security, SOA | Tagged , , , | Leave a comment

Quotes to CRN…..

Posted on September 23, 2011 by john.molinaro@yahoo.com

http://m.crn.com/69720/show/ea8ab97e81dc70e4640ce6aa70a17735&t=7afc716691ee21ca5aa93b941e43753b

Was interviewed and provided my opinion.   Interested in counterpoints but I’ve not seen any reason for concern.   I will keep my ears open but let’s be honest…..

Posted in Java, Uncategorized | Tagged | Leave a comment

Oracle Gateway supports Security for SOA….

Posted on August 31, 2011 by john.molinaro@yahoo.com

Oracle Enterprise Gateway, a component of Oracle Fusion Middleware 11g that secures, accelerates, integrates and routes XML, Web Services and other types of data to help lower integration costs and reduce deployment risks.  A pretty useful tool the Oracle Enterprise Gateway is also designed to secure service-oriented architecture (SOA) deployments on-premise, across domain boundaries, or in the cloud. It’s design provides an easy way to secure, accelerate and integrate XML and other types of data as well as lower integration costs and costs of ownership, and reduce deployment risks.

Gateways normally don’t provide for rich integration with many identity and access management platforms.   Oracle does and this helps streamline regulatory compliance through authentication, authorization and audit capabilities.  Overall cost of ownership to use a gateway just got a lot less complex and less expensive to administer.

Fully integrated and certified with Oracle Fusion Middleware 11g, it offers out-of-the-box integrations with other Oracle Fusion Middleware 11g products including Oracle SOA Suite 11g, Oracle SOA Governance, Oracle Identity Management 11g, as well as Oracle Enterprise Manager.

Highlights of Oracle Enterprise Gateway include:

DMZ-class Security for SOA and Cloud environments: provides DMZ-class security and a  threat defense system at the service perimeter to SOA and Cloud environments, thus providing critical protection needed between un-trusted and trusted zones.

Accelerated XML processing: enables SOA and cloud applications to offload resource intensive XML based operations, resulting in significant performance gain by applications.

Open and standards-based: plugs into third party platforms and non-Oracle environments such as IBM, CA and RSA to help customers reduce integration costs, lower costs of ownership and lower deployment risks.

Authentication, Authorization and Audit capabilities: robust XML connectivity and security capabilities to safeguard traffic between heterogeneous environments resulting in heightened security and scalability. It provides run-time enforcement of authentication, authorization and audit rules defined by other Identity Management Products in the market.

SOA & Cloud Ready: Oracle Enterprise Gateway can be deployed in the cloud and can also mediate traffic in different data formats such as SOAP, REST, XML etc., thereby improving efficiencies associated with SOA infrastructures on-premise or in the cloud. Oracle Enterprise Gateway also manages connections to the enterprise, partners and third party cloud services. It allows central management of API keys vital for authentication to cloud services and provides enhanced security with threat protection and message redaction capabilities. Additionally, it enables organizations to aggregate multi-domain services across enterprise, partners and third-party cloud services and apply critical governance controls for service access, usage and availability, in the DMZ.

Extensible: The Oracle Enterprise Gateway is highly extensible through technologies such as Java, XSLT, JavaScript, Groovy and allows customers to complement the rich out-of-the-box provided product capabilities with functionality to meet their specific needs.

Companies worldwide are deploying SOA infrastructures using web services on-premise and in public cloud environments. While web services offer many advantages, they also present challenges, especially in terms of security and management.  With Oracle Enterprise Gateway this just became a bit easier and less expensive…

Posted in Cloud, IDAM, Security, SOA | Tagged , , | Leave a comment

Understanding the relationships of BPM, EA, and SOA

Posted on August 18, 2011 by john.molinaro@yahoo.com

A Quick study to understanding the relationships between EA, SOA, and BPM:
Okay, without spending too much time talking about the trends, adaption, or promise of these “over used” typically over-hyped and underappreciated terms I will dive into the topic in hand. What, if any, is the relationship between SOA, BPM & EA? First, some quick definitions:

BPM is a practice that focuses on identifying if a business process is operating within normal operating ranges. How can you tell that? First, you identify some key performance indicators (KPI) that you will use to measure your business process (this implies you actually understand your business), next you have to baseline your current business process; lastly, you modify one variable at a time to see the impact it has on the process. Since this last step can have financial impact for your business, you may want to consider using simulation to assist in this process. Here we deliver foundation services within our BI and EPM practices which can be taken to the next level with the Fusion Practice to support their business.

SOA is a practice that focuses on modeling the entities, and relationships between entities, that comprise the business as a set of services. This can be done on a small or large scale. Typically, the relationships in this model represent consumer/provider relationships. Doing SOA correctly implies you are taking a top-down approach. I’ve seen and read views that discuss the bottom-up approach to SOA and I don’t believe the initial results of that represent SOA. Perhaps it’s a component model, but not a services model. The value of SOA is that you are aligning IT with the business using this architecture methodology.

Finally EA is the ‘Holy Grail” of architecture practices. It attempts to get the architect(s) to take a holistic approach to thinking about the organization. It organizes the structure of approaches for delivery and support of solutions at enterprise level. The goal of cataloging and modeling at this scale is that you can see “the forest from the trees”. It’s very easy to think about solutions in your organization based purely upon need, and creating a direct solution for a direct need. Typically you will end up with a set of disparate and disconnected silos. Cataloging that need in an EA enables the organization to recognize consistent patterns and consolidate around them. Thus, those who are successful see operational costs reduced, redundancy avoided, and time by a company’s subject matter experts are spent solving the unique aspects of new problems, or innovating rather than continually reinventing the same solutions over and over again.

SOA & BPM: SOA & BPM are methodologies or at least a structure/ framework of approaches and techniques, not tools or technologies. It’s irrelevant if SOA suites can do BPMS or BPMS suites support SOA (Oracle SOA Suite bundles Application server, workflow management, BPM, Messaging Management, Event Management…). There is no direct relationship between these methodologies just because vendors discovered that that they can use Web Services as a way to execute a task within a business process. Web Services is not SOA, it is merely a standardized approach to accessing functionality on remote systems.

However, a well-designed SOA can simplify BPM by enabling rapid business process modeling that only needs to go as deep as identifying the right service rather than having to identify the entire sub-task. SOA can also simplify BPM by denoting in the service the types of KPIs that the service maintains for itself. This requires full understanding that a service is a measurable unit and that metrics are a key component to development of the service. One of the best practices is if you can’t measure it, it’s not a service. So to finally get to the bottom line for the relationships between EA, SOA & BPM: “SOA and BPM are views within the enterprise architecture”. They don’t replace the need for EA and they cover only a fraction of the subject of EA’s requirements list.

Posted in Uncategorized | Tagged , , , | Leave a comment

How to Enforce Oracle Password Complexity

Posted on July 7, 2011 by john.molinaro@yahoo.com

The days of bob having a password of bob are long gone. Security and policies around passwords are common and their enforcement of a degree of complexity so they are not easy to guess, are a fact of life. This is the most basic method of starting to begin to protect you digital assest from unapproperate use. There are many recommendations for creating passwords which are complext or for what may be terms as password strength. Here are a few of the more fundimental guidlines for creating reasonable strength which will be generally viewed as acceptable for most applications and uses.
#1. Passwords should have at least 8 characters and not more that 24 charaters. (within in Oracle there is a 30 character passwork maximum limit)
#2. Passwords should have at least one uppercase character.
#3. Passwords should have at least one lowercase character.
#4. Passwords should contain at least one special character or number. (Often both are recommended)
#5. Passwords should not start with a number.
#6. Passwords should not be based on in majority or part on a word found in a dictionary (english or other).
#7. Avoid schemes like employee number, department number or any intelligenty key type which an provides an insider a advantage in constructing or guessing any one elses password.

I may consider it common knowledge but it needs to be reenforced, that password compromise and overall any organizations greatest security threat and misuse of digital assets are from it’s own employees. Thus my last point above needs to make sure passwords aviod the use of schemes which may be identified within a company. Because password that adhere to complex policies or guidlines are not easy to create and are even harder to remember individuals needs to move up with some clever schemes to generate passwords that will confirm to requirements that they can remember. For this reason communicating only the policy is simply not enough, as only random indivduals passwords are weak IT policies should provde a list of possible thoughts for users to pick the passwords they can remember. (Start with some type of word or NAME, which is not easily identifed or associated with you) Think about the security questions nearly all of us have been asked to create for online accounts which are challenge or security questions. My high school had a very odd mascot name which I know most or all of those I work with would never know. Capitalize the first letter, substitute some letters with a number, a special character and have the remaining letters in lowercase and your close. ( I personally don’t use this anymore but here is my own personal example is taking the Name Brickie to a password I can remember like Br$ck1ez. This is far superior to something like ( take the word “malicious” and turning it into M4l1c1oUs ) . Yea I know they don’t look too different but check out on the web any number of password cracker’s like “John the Ripper”, “PWDump”, or any other of several password breaking free software packages. There are even sites that rank and provide turtoural’s for makeing these work. Yes no password is 100% safe but following these guidlines remove the easy target from your forehead.

With Oracle the “PASSWORD_VERIFY_FUNCTION” parameter of passowrd profiles and allows you to specify a function for validating password strentgh. This parameter gets a value which is a pl/sql function that is verified each time a user/account is assigned. And simply if the assigned password is not compliant the attempt will fail.

Oracle provides a sample password verifiation function in the “UTLPWDMG.SQL” script located in $ORACLE_HOME/RDBMS/ADMIN. You can use this function as is or as the starting point for you own customization. Be carefull to read the comments as this script does provde for Oracle 11 and pre-11 instances.

How to Check for wak and default passwords? Default account that come prepackaged with the database and applications have default and well known passwords and create serious concern and holes to any security requirement. There have been several well documented data compromises in Corporate America that have begun by starting with well known default account and password information. Oracle 11g offers a few remedies for this. First, default accounts that come with the database are either set to be locked with an expired password or have to be given a non-default when you install the database. THis takes care of new installations fo the database. Now let’s look at existing and upgraded databases. A new feature with oracle 11g helps and provides for monitoring of default passwords. Oracle 11g has a new view callede DBA_USERS_WITH DEFPWD. If you select from this fiew you will get a list of all default accounts that have a defalut password. As an example if you have the default SCOTT/TIGER and you run

“SQL> select * from dba_users_with_defpwd;” your result will b e

USERNAME
———————–
SCOTT

Oracle 11g has all the hashes for the default passwords and checks if there are any passwords in USER$ that have the hash values for the default passwords. Now it’s fairly simple to make sure this common hole is not left open. Setting up a monitoring script to query this daily and send an alert or email to the dba, or security responsible person should it return values is a simple common monitoring task that is generally acceptable for audit professionals.

Posted in Uncategorized | Tagged , , , , , | 3 Comments

(Finance, Healthcare, and Utilities) Challenges in Growth

Posted on June 28, 2011 by john.molinaro@yahoo.com

Hospitals, Banks, and Power Utilities all have a unique challenge due to their rapid growth be it from acquisition, merger, or expansion (typically all three) coupled with a rapidly evolving technology landscape, and constently changing compliance requirement.   Yet each industry in effort to meet strategic needs of the business regularly add new end-user devices such as desktop PC, handhelp computers, wireless devises, tablets, and or patient care/speciality integrated wireless devices.   These changes have manifested into several several islands of IT assets each with their own security and risk, but managed in isolation to offer debatable protection.   In an era where network computing, virturalization, SOA integration, and cloud are prevailing these key growth business industries seem to be expanding the sprawl of disparate, unintegrated platforms.    Part of the challenge is that each have multiple user communities  working with various non-standardized devies in various locations.  each with different pieces of software running on different platforms.  Device trackins and support is complicated and cumbersome.  (This sounds like a huge opportunity to find and realize cost savings)

Replacing outdated management strategies and development paradiams to new and adaptable strategies supporting the demands yet focuses on GRC and managment with an enterprise approach for things like security, device support, integration, and services supporting enterprise single source of truth for mobile or speciality point of service applications the cost savings are easy to identify.     More to come here, as I have seen a number of frameworks which apply but starting with the frameworks for devices (amoung specialy special needs) here there are several open source frameworks for starters.   Next is the enterprise GRC,  which may be fuzzy at several companies but finding ways for have these speciality applications conform and comply with the enterprise governance structure.

Comprehensive serviceporiented management tools that automate policies and processes can reduce the mauual management required to maintain IT assets, helping (Hospitals, banks, or Power Generation Facilities) plateau the riseing expenses of management time supporting user productivity.  Taking Proactive steps to deploy a solution for managing IT lifecycles not only increases efficiency, it also reduces the total cost of ownership for systems, and inhearently support integration, data sharing, with existing proven security models in place within your existing enterprise.  

An initial key first step here is “Managing System’s Inventory”.   For this a company not n eed to institute a complete lifecycle management system, but it does need to use a data rich model of cateloging existing systems, sub-systems, schemas, IT code, and logic assets.   Also for enterprise IT organizations integration and relationships of this information with the data typically already captured but not integraed about the devices is the next step.  Tracking mobile devices beyond inventor is difficult but once you integrate key informational systems, code and applications these devices run it becomes much easier to address IT issues around maintenance, security, audit reporting or compliance.   IT’s also amazing how much time the Help Desk saves on triage or discovery in support of these devices and users once the applications and devices can be linked.     Having at least a centralized up-to-date client device inventory where they are located or how is accountable for their use, along with which short list of applications .

Another key area is the management of software deployments.   This is currently very manual and prone to mistakes, or challenges by new provisions having a  mix of needs not standardized.   What happens when IT removes a device from servie to evaluate operations, install or update software patches, or even troublehoot problems.   The result is downtime for the speciality needs systems with busness implications.

Managing the regulatory compliance and security

withough a centrialized client management system IT has to dicover and track all devices based on either a manual method or on the user/ use role associated with the holder of the device.   This works for devices which are statically assigned to individuals, but what about shared moblie devices like within a hospital infrastructure,  Role assignment to a device simply does not work

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

Links for Compliance Regulations

Posted on June 3, 2011 by john.molinaro@yahoo.com

usefull files”

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf

Posted in Uncategorized | Tagged | Leave a comment

Some business now need to answer to Department of Homeland Security.

Posted on May 26, 2011 by john.molinaro@yahoo.com

The Obama administration has unveiled a cyber-security plan to provide protection for critical infrastructure, data-breach-notification laws and cyber-defense. The plan does endorse the bill sponsored by Sen. Harry Reid of Nevada that is currently under consideration in Congress.
The White House proposal addresses how to protect critical infrastructure, including electric grids, financial systems and transportation networks, from cyber-attackers. The Department of Homeland Security would take the lead role in working with states and businesses to respond to cyber-attacks and provide immunity to organizations that share cyber-security information, according to a fact sheet on the White House Blog.
The administration struck a balance between securing critical infrastructure and not making decisions for the companies who actually own and operate the infrastructure. Companies retained a lot of authority to draw up their own cyber-security plans and implement them. The plan summaries have to be publicized and if it doesn’t seem comprehensive enough, DHS has provision to modify these plans, according to the White House proposal.
The current White House spin is that this plan will quote “Fundamentally, strike a balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cyber-security,” according to White House cyber-security coordinator Howard Schmidt. Although this creates a number of concerns it does begin to show the legislative members are still concerned with being too aggressive for business. Today business are struggling with keeping up with the legislative requirements and this year’s laws although provide for greater governmental involvement, and threat, if fails to put any more sharp teeth into the bit of failing to secure information of the public.
However; companies would also be required to report any “significant cyber-security incident” to DHS. The White House asked for legislation that would give Homeland Security a much more active role in working with the private sector. The lack of a “clear statutory framework” describing the role DHS could play has “slowed the ability” of the department to help organizations looking for help dealing with cyber-security. But, DHS would have “enhanced authority” over certain “key” infrastructure, but the proposals did not specify how the agency would define which companies would be classified as critical infrastructure and core critical infrastructure. Those companies will be under additional regulatory oversight to ensure they are implementing proper security measures.
The Senate and the White House are on the “same track” on cyber-security, according to a statement issued jointly by Sens. Joe Lieberman, Susan Collins and Tom Carper. “We both recognize that the government and the private sector must work together to secure our nation’s most critical infrastructure, for example, our energy, water, financial, telecommunications and transportation systems,” according to the Senators.
Companies that fail to scrub personal identifying information from data shared with the government will face civil penalties. The administration would be able to publicly call out any company that failed to secure its networks adequately.

Posted in Governance, IDAM, Security, Uncategorized | Tagged | Leave a comment