Tag Archives: Identity

Active Directory in Hybrid Cloud

Cloud”, the most common term now in IT, its everywhere . Companies which provides IT services bringing their products and services in to the cloud rapidly. “Hosting services” was the first industry affect with it and now its spread to even small companies, individual professionals. With introduce of everyday products like Microsoft office365 every one start to understand the benefits of the “cloud”. Some organizations are use their own private cloud while some are completely move in to public cloud services.

One of the main concern people had about cloud was how they can bring there infrastructure services, resources, applications without impact to productivity. For example most organizations uses Single-Sign-On (SSO) to reduce the complexity of the authentication and authorization process. After we move organization’s resources, products, services to cloud if SSO do not work it still preventing full benefits of the cloud in end user prospective. The same time it will make impact on productivity directly. This access control and authentication concerns are more applying in to “Hybrid Cloud” systems. In Hybrid cloud some resources, services, application will run on-premises and some will be run from public cloud or private cloud setup in data center. This is the most commonly used cloud model in industry.

One of the solution used to address this is federation services. But issue is not every application or products uses same standards, protocols for identity management. As we know most of available products supports integration with AD services. Even Microsoft gives relevant tools, techniques to succeed with SSO on application development. So if you have working infrastructure system with all company requirement, how you convince management to move in to cloud system which will needs to deal with identity and access issues?

Well, Microsoft has found the solution for this. “Microsoft cloud – Azure” and windows server 2012 allows to extend the active directory in to the cloud. It allows to use claim based authorization. We can use windows azure AD as the identity store for the hybrid cloud and easily integrate other systems such as web portals, email system, crm, non-Microsoft apps. Also it can sync with the on-premises windows server active directory using “DirSync (Windows Azure Active Directory Sync Agent)” with AD FS (Active Directory Federation Services).

clip_image001_1E3725C4

In next posts let’s see how we can configure Azure AD and how it works with integration. If you have any question about post feel free to contact me on rebeladm@live.com

Image Source: http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-98-54-metablogapi/clip_5F00_image001_5F00_1E3725C4.png

Identity and Access (IDA) Management Solutions

In previous article I have explain what IDA solution is and what we need to consider on implementing such a solution to business. If you didn’t read it yet you can find it on here

What is IDA Management Solutions?

IDA management solutions used to integrate, sync, manage different identities an organization uses. It can be different directories, different systems. For ex- Company ABC use Active Directory Domain Services (AD DS) to manage its users. It also have another web application hosted on linux platform which is using different identity store. Billing platform is maintaining another authentication system for customers and employers. Company XYZ its merge with using Novell eDirectory as its directory service. So IDA management solution it will help organization to integrate and maintain these different authentication systems without additional management efforts.

What are the features of IDA Management Solutions?

Multiple Authentication Systems

In an organization, there can be various authentication systems. It can be different directory services or databases. Most of the time IT professionals are used to merge these various system to one authentication system to provide Single Sign on (SSO) experience. Majority of applications, authentication systems allow to integrate them with different directory services. But some time it is important to maintain different identity stores while sync or exchange certain information among them. IDA management solutions allow to maintain multiple authentication systems while providing SSO or filtered information exchange.

Determining Authoritative Identity

As I explain before IDA management solution can integrate, synchronize and maintain identity data from multiple identity stores. When those systems works together it’s important to identify the attributes and the source of them. For ex- If “System A” requesting user information from “System B” for authentication it’s important to make sure “System A” is same source its claims to be before pass the sensitive information. There for IDA management solution will act as trusted information source which we can use for validate the information which are sync between multiple identity stores.

Authentication and Authorization

IDA solution will make sure to authenticate and authorize users based on the access control permissions or policies.

Add/Remove User accounts automation

When an organization deals with multiple identity stores it makes more work for IT staff for user account provisioning and de-provisioning. For ex- if company have 5 different systems when new use comes in IT department need to create use in all 5 systems along with appropriate ACL etc. imagine with 25 users how much of work load it will create ? Also the process can increase the possibilities for errors and it even can create security risks to entire network.
With IDA solution we can automate this user add/remove process across multiple systems. It will ensure the integrity, security, productivity compare to manual process.

Secure data exchange between companies

Due to business needs some time organizations needs to exchange access to data and resources with other companies, vendors or partners. It is not practical to force the other party to change their systems to compatible with ours. IDA management solutions allows to securely share access information to data and resources with minimum administrative efforts. It can be using domain trusts, federation services, forest trusts etc.

Secure Data Exchange

When deals with multiple systems its obvious sensitive information will share or sync between them. This communications may happens between multiple networks. IDA solutions will ensure all of the communication between different systems are secure and data exchanged between them are secured.

Safeguard sensitive data 

Let’s assume “company ABC” merge with “company XYZ”. These are interconnected using domain trust. CEO of company ABC is sending email attached with office excel file contains salary information to CEO of company XYZ. So defiantly its very sensitive data which should not access by any other person. Even though it’s secure communication what if someone else in company got access to it? IDA solution can use to make sure the confident data only access by the authorized person. As example Active Directory Right Management Services (AD RMS) can use as tool to ensure only CEO of XYZ can open that excel file and no one else.

In next article let’s look in to some of IDA tools and techniques we can use.
 

Identity and Access (IDA)

Identity-And-Access-Management

In modern world business have much more complicated infrastructure requirements. The day’s people connected to a switch or router and uses few network application is now over. It’s becoming more “network” world and connectivity to different systems, resources which is available over internet, home network, corporate network is common.

I believe it’s much better to explain it with a real world example. There is company called ABC corp. which is in publishing business. Its headquarters are located in New York City. It also have branches in Europe and Asia. All offices are interconnected using LAN and WAN solutions. Each offices have its own network resources with different access permissions. These resources access permissions are managed based on user, department or office geographical location. Company also use different applications such as billing, content management systems (CMS), FTP Uploads/Downloads, Online Stores etc. Also company have remote workers login from different locations in the world and they also have access to some of the systems and resources company use. ABC corp. recently merge with another company called XYZ Inc. Both companies wants to share access to systems and resources they have with minimum changes to current infrastructure setup. Apart from the infrastructure just imagine the complexity of the different access permissions its deals with. How many different systems they uses? Some of these systems are well known applications and some are developed by third party development teams. How many different technologies they uses? Some of the solutions they used based on Linux, some are based on mac and some are based on Microsoft. What about the connectivity with corporate communication device such as phones, tablets etc.?. This is where Identity and Access (IDA) solutions comes. It will simplify the complex identity and access requirements of business.

IDA solutions are not simply a set of server roles or applications you can install on a server and configure. It is a solution to a business problem. It does have set of tools and technologies which can use to address the problem but I would say it’s like a double-edged sword. If it’s not carefully evaluated against the business problem before introduce them to infrastructure, it will be chaos.

What we need to consider before go with IDA solution?

Security – when it comes to digital data the security is more critical concern any business faces when applying new solution. Before we apply IDA solution we need to identify the security risks involve and prepare plan to address those. For ex- single sign on (SSO) is one of the great feature in IDA solutions. But same time it can make more damaged to a network or data than a system with different login systems (in network security breach). We need to evaluate all of these concerns and build the security boundaries, policies etc. when it comes to merging two different networks this is become more and more important. Because the other network may using complete different security policies. Also the data which will be shared among the companies will be much more critical, confidential data. So the solution we providing must address all these concerns.

Cost – It is also important to evaluate the cost involve with the solution such as hardware cost, software license cost, administration cost, product development cost etc.

Benefits – It is defiantly need to evaluate the benefits that corporation will have with IDA solution. In beginning of this article I mentioned that IDA solution will simplify the complex identity and access requirements but will it be enough? We need evaluate

•    How it will affect productivity?
•    How it will affect data, network security?
•    How we can justify the cost involve with the IDA solution against the benefits?

CIA Triad

CIA-triad

IDA solutions consist of 3 core elements. These elements are equally important.

Confidentiality – Data, resources should only available for the authorized persons. For ex- Let’s assume company have a network share which contains payroll information. Management decides its only should access by account department. So it’s must to ensure no other departments have access to it. None of the new implementations should effect this primary requirement.

Integrity – This means when data is been share between two or more parties it should not have access or modified by unauthorized person.  For ex- “User A” is editing a file from “Share A”. If it’s NOT share for others that activity only between User A and Share A

Availability – Let’s assume an accountant is accessing billing system to view a customer billing information. If the user is permitted for it, need to ensure those data is available. New implementations, security rules should not make any impact on it.

In this article I tried to explain what is IDA solution and in future posts I will explain the different tools and techniques uses in IDA solution.


Image Source : http://informationsecurityadviser.co.uk/cia-triad/ , http://www.businesscomputingworld.co.uk/the-iam-gap/