Monday,Jul19,

When a good Identity Access Management (IAM) software goes bad

Since we are a more traditional break here in the U.S. at the end, may be useful in the real world think IAM software implementation problems. I initially thought of doing a standard "Time Line of posts on IAM software, but on further review, it seemed more Germanic in IAM software problems concentrating.

First, some "gross generalizations" about Identity Access Management (IAM) software (in random order):

The suppliers are not always their best people on IAM-related accounts. OfOf course, this depends greatly on many factors, so I used the term in general. "Engineers best and brightest minds - developers, key strategists, and frankly, many people who are running in the" blogosphere "business blogs actually not implement IAM software. So, who comes to your site? Partners Offshore hires, trainees, sales representatives (or "technical trading") is high-dollar are certainly more likely to have the talent, but also such accounts may suffer in this extendedIAM market.
IAM software is inherently incredibly complex - of nature and design. We can not wait Have your system have been thoroughly tested under all permutations of the Environment, version, DNS, Certificates, mixed authenticators, etc. I could repeat this point one thousand times . Note for the company - most of IAM software, especially "suites" are essentially service offerings, such as products packaged to meet real. You can start life as a retail package, but must be strongtested, adapted, configured, developed, expanded and adapted to the real world enterprise environments. This is the reality of software in the area of Identity and Access Management. Please do not expect point and click configuration for true enterprise-class software. It is not only an unrealistic expectation, but can lead to all kinds of planning and budgeting deficiencies when it is time to implement, and improve. Keep
IAM software is often closely correlated with some versions ofOperating systems, Web servers, application servers and related components. In fairness to the major players, try a product to market, in which he supported "N number of platforms with the multiplier effect comes into play if the raw number of other systems or" the goals of opinion, get 'that the software seems to be communicating. Do not be deceived the "open platform" story seller. JDK version, OS revision level (except service pack / patch number) in someCases may create or destroy key components IAM.
Sellers usually do not support their best people on the phones or on queues based support portal to help you. The most important of all companies IAM (probably all, but I funds and say 'maybe') offshore to support key parts of their software. Certainly, most do, as we learned first hand over and over again. A debate on the merits (or less) of offshoring is best left to experts. My point here is thatdo not occur often, it is a fact with the provider of enterprise software, and you can reasonably expect, communication skills and issues of delta time zone (and others) to find the support base for the products of the IAM.
IAM contends people are not necessarily up to speed on the latest versions and permutations of its products. This is an area of great variance in the main hall supplier. In general, however, support can be called through many hands before entering the country for a tripsatisfactory solution. For providers with frequent review cycles can be considered almost certain that a good part of the support staff is not fully up to speed for the latest versions. Furthermore, subsidiaries, property of a support case can be daunting and extremely frustrating for business customers. (Or anyone else for that matter.) On a similar note, tend suppliers - such as airlines and companies in the health - their resources to sell expensive. I am more than happy to sell the product at allThey want the support of great promise, but at the end of the day may not have the resources to support what they sold. This is a classic problem, and one that should be connected with a group of companies see a solution in the near future.
As with any chain of IAM software is only as good as its weakest link or connection. The best software in the world can only be responsible for its internal operation and to set the operation of connected components. Case in point - Databasesand operating systems. IAM infrastructure can be a facilitator, characteristics and functions that do not yet exist, and provide a platform for delivering services. But many organizations have disparate repositories of information and services that are in various states of disorder, older versions, configuration errors, or dirty / unstructured data.
The success of IAM software implementation requires a team. Minimally, this includes one or more technical implementation by the supplier and one or more subjectsExperts from the client side. Subject experts are real experts in their target platforms and data that can be on these platforms for software IAM, a prayer of success.
Many suppliers IAM Franken Steined have "(if that can be used as a verb) IAM various software packages, a presence in the IAM space to create. No names are necessary. Everyone in this room and all our customers know exactly what I'm talking about. We return to the point of complexity, consider theLogistics bring three or four completely discontinuous, independent countries, together, form a unified whole. Not easy is it? Ok granted, the IAM software is not * so * complicated and the point a bit 'exaggerated for dramatic effect, but you get the point. When cobbling together parts of machinery to make new machines will be new complexities and problems. The composition of a team of people who can successfully implemented all of the pieces is on a site for a client livingextreme challenge for most any manufacturer.

So what can (and will) go wrong with the IAM software? Here is a very abbreviated list ....

Installation failures. Terribly common for a number of reasons, including faulty installation scripts, Library / File issues, version conflicts, etc., see "dependency failure" below for more details.
Authentication failed.
Authorization failures.
Connection failure.
dependent failures (other versions of software, missing libraries and JAVAclasspath, missing patches, patch or replace a "configuration older, but more" supported)
Weak-link encryption. In this scenario, parts of the transaction will be encrypted identity, but not others.
Database read failures. (Bad connection strings, databases, require special tuning JDBC string of characters such as translation, etc. ..)
Database failures misread. The tables say one thing, says the provisioning tool that is connected to the database for something different ...
SSOBankruptcy. User logs in, the token is granted, users would like to make chips other portal / application / website and sign "seamless. Often not as seamless especially if several products are involved in the transaction.
directory service attributes do not match.
Java Library Errors. Should not refer to the installation, but the Start / Stop IAM components or application server.
Function errors. three quarters of the way they appear in the transaction, strange errors ....
Module or pluginMatching. The previous version of a plugin or a module that has been certified for an earlier version is not a stretch with the new, only to find that specific plugin that your website is based on not being thoroughly tested ...
SSL / certificate failures. certificate authority certificate may cache Web server, Java application server, client or browser. Enlarge the picture for the environment requires, including client certificates.

There are many others but these areOnly a few of the many things that the Identity and Access Management component may maintain installations determined by the performance of their mission. (And still earn some serious your company has spent on them.)

Is there hope?

Yes there is. Here are some (far from inclusive) suggestions that help * ensure * that access identity management software installation and maintenance, the best chance of success, may:

Standardizing on a version of the JDK, and the planStick with it for at least one full cycle implementation. It 'very easy (and tempting) to constantly update the JDK and JRE components are available when new. But this can create problems of compatibility with the IAM software. Stick with the version that the software is certified and certified, if multiple versions, go with the latter. This is * always * go with a minimum of version 1.5.x, the variety of security and improvement of the security model that is now available.Suppliers will be based on the old JDK and patches, so do not assume that the fact that an automatic update is needed to solve a specific problem.
For Microsoft shops (TM) or heterogeneous environments with Windows 2k3 server and XP or Vista clients plan, a move to.NET 3.0. We have discussed elsewhere, but is an important point. There are not only useful new IAM-related but.NET * * is in general compatible with previous versions, bug fixes and whileImprovements. CardSpace support is also a key driver for moving toward.NET 3.0.
Standardize secure JDBC driver to a specific version, and that the Identity and Access Management Provider certifies version said for connectivity to your data sources. IAM companies, in particular the provision and control instruments, rely heavily on the JDBC connections to directory services and databases. Their products are often coded to expect a certain class or driver version. In the case of JDBC, the new is not alwaysbetter. Again, "newer is not always better when it comes to JDBC." Remember also that many members of the IAM software can count on the same driver, then mix and match versions can be an important source of pain.
With the major providers have a clear picture of their product roadmap for the next three years. Remember that identity management programs have access to several years of efforts. If they can not provide one, it usually means they are just waiting to see what others are doing inIt is space, then go buy a Spree. (We are not names.)
With small vendors have a clear picture of their exit strategy, and the source into account the demand of escrow. Of course, not many small providers of this information, and not really long-term plan. No problem with that is, in itself, but the rate of bubbles in this area is important to know where these companies. Talk with the President. Talk with the fee (if applicable). I can not tell you,How many established "smaller" providers we spoke, and asked these questions point blank, just to see, they are acquired in the coming weeks.
scenarios for review with the manufacturer, the technical staff and see how they react. Repeat with their service. Make a few phone calls to test the service during the product evaluation. Insist on you to do the full support guest access. Call during the day, then call at 2:00 am. Ask the same Question every time. Compare and contrast.
Request for test drives virtual software vendor. Check the library with the application and web server load. Acquisition and review of protocols. Check for discrepancies.
Request ... * ...* no question a team consistent implementation. Large companies have sufficient resources to meet the challenges without the manufacturer's representatives show up at a site, or send email to ask your technical team global concerns> Password or troubleshooting VPN access to your environment. Get to allow a single team forward together for a 2-3 Person Change "contingency" and get this written in the contract.
If you, your product and / or product suites have finally decided to raise a good mix of your cross-functional experts (SMEs) and send to the IAM training product. More importantly, * ensure that SMEs to go further, to stay with the project planning .* * Key to SMEscomfortable and understand their IAM products, particularly where they connect with the resources of SMEs subsidiaries.
Imagine a complete list of all your applications Authentication: Databases, Directory Services blob XML, flat file or anywhere IAM data are stored in your company. This as a checklist for the provider of IAM and ask them to detail how their specific product (s) in any case is an address, and also who can not. Although this may seem a trivialPractice for many large companies to find out exactly what they have much less how to protect them, what they have is a huge exercise. The collection and analysis of this data is not up to your team IAM implementation vendor. Please do not expect this for you. Instead, please allow this ready for them, begins to be implemented. Often, an important detail or pattern in the review of the portfolio will phase, which may be crucial in deciding the best architecture andimplementation plan for the environment.
Maintain a strong code / software management practice. If you do not have in place, you get one before you're IAM multi-product implementations. Structure your code repository of product and project management, and keep in mind that access to make the management and provisioning products, major changes to directory services and databases. Match each update of a specific building or revise the IAM software components.

Product Description

InSummary, Identity and Access Management (IAM / IdM) software installations must, like other aspects of your identity and access management (IAM) program administration. Plan for the IAM software complexity, and most importantly, adopt a small child with an instrument software. Do not jump to the certificates, a policy on passwords, including the Federation of complex databases and directories until you have a clear test plan in place, and can provide basic functions to test the product. Once validated inEnvironment, move very basic level function until the applications are fully satisfied.

My Links : MP3 Player printingmachine hpofficejet6500 datarecoverysoftware

Labels: , , , Posted by tun at 8:08 AM  

Agregar a marcadores favoritos:
  • Agregar a Technorati
  • Agregar a Del.icio.us
  • Agregar a DiggIt!
  • Agregar a Yahoo!
  • Agregar a Google
  • Agregar a Meneame
  • Agregar a Furl
  • Agregar a Reddit
  • Agregar a Magnolia
  • Agregar a Blinklist
  • Agregar a Blogmarks
  • Agregar a otro servicio

Danos tu comentario

Post a Comment

Subscribe to: Post Comments (Atom)

Home |Design by Blogger