Healthcare organisations such as hospitals and surgeries operate complex networks comprising various applications running on multiple systems. Users need to have access to multiple applications for e-mail, the helpdesk and patient data, etc. In order to comply with increasingly strict security requirements, staff must enter separate username and password combinations for each application. This can easily lead to entering credentials for 12 different applications or more [Source: SINGLE SIGN ON SURVEY REPORT, July 2011]. With so many combinations to remember it is likely that employees will store this data in an insecure way – i.e write their password on sticky notes or share login credentials with colleagues. System administrators take extra precautions to keep the network safe, such as using complex passwords and setting a maximum validity period for passwords, etc. Often, all of this can only serve to exacerbate the issue further.
Issues such as these, gave rise to the development of Enterprise Single Sign On (SSO) solutions. With an SSO solution employees have to enter just one set of login credentials, after which they will be logged in automatically to all their required applications. This greatly helps to limit security issues, and speed up the login process. However, even the initial login can prove to be too time-consuming in a busy A&E and this is where the innovative further features of E-SSOM-Tools4ever’s SSO solution could have industry changing consequences.
To ensure proper patient care, doctors need quick access to patient information. The “Fast-User Switching” feature offers users the ability for staff to login and out on public computers quickly. When users login using Fast User Switching, the applications they need are launched and logged-in immediately and automatically. When users log-out, the SSO solution can log-out of the applications and/or close the applications. The login process can be made even easier when Fast User Switching is combined with a key card. In this scenario entering the key card grants the user access to the desired applications, and removing it logs them out, making the computer available to other members of staff.
Another feature which can prove very useful in this environment is the “Follow Me” feature. An alternative to Fast User Switching. Staff begin by logging into the network and launching the required applications (the SSO solution takes care of automatic login). If the user decides to change computer, they have the ability to take the logged-in session ‘with them’ to the other one. The user has immediate access to the desktop launched earlier and the applications. As with Fast User Switching it’s possible to link the switching of users to a key card. In this scenario a user only needs to identify themselves with a key card and an optional PIN code.
This kind of innovative technology could greatly reduce the instances of data protection breaches within the healthcare sector, whilst also improving the overall productivity of the workforce in general. In the current economic climate this could help to improve the quality of care given despite tight budget cuts.
Monday, 12 December 2011
Monday, 31 October 2011
Can time- consuming login processes become a thing of the past?
Password synchronisation solutions can prove extremely useful for increasing efficiency and reducing costs. As with Tools4ever’s Password Sychronisation Manager, they allow end-users to use a single password for logging into their network, and all other applications they require access to. After end-users have changed their password, PSM ensures that they can log in directly to all the required systems and applications with a single set of log-on credentials. This can improve end-user productivity and minimise the number of password-related helpdesk calls. But is it possible to enhance efficiency and workforce productivity further still?
Password Synchronisation solutions alone still require the end-user to manually log-in to each application and system they use, which can be extremely time-consuming. A recent survey has shown that an alarming 28.1% of us have to remember over 12 different username and password combinations in order to do our work on a daily basis, with the majority of us having to key-in up to seven. And 85.3% of us think that we would be able to work more efficiently if the time it took to log-in to systems was reduced.
SSO solutions, such as Tools4ever’s E-SSOM offer effective solutions to these issues. Once a user has logged into the network, and logged on to their required applications, E-SSOM will remember the login credentials required for each applications/system and automatically log the user in thereafter, whenever the applications/systems are launched.
However, with the combination of PSM, there is no need for this process as PSM communicates directly with E-SSOM. When a password is changed in Active Directory, PSM will immediately ensure that all applications/systems receive and apply the new credentials, and will communicate the current password credentials to E-SSOM , which will then launch all applications and systems automatically.
The combination of these two solutions make login procedures even more efficient. Optimising user convenience and simplifying the process for system administrators when access to new applications have to be added to user accounts, and when applications/systems require users to frequently change their login credentials.
With the combination of the two solutions, time-consuming log-in procedures can become a thing of the past. End-user convenience can be at an optimum level, with increased workforce productivity.
Password Synchronisation solutions alone still require the end-user to manually log-in to each application and system they use, which can be extremely time-consuming. A recent survey has shown that an alarming 28.1% of us have to remember over 12 different username and password combinations in order to do our work on a daily basis, with the majority of us having to key-in up to seven. And 85.3% of us think that we would be able to work more efficiently if the time it took to log-in to systems was reduced.
SSO solutions, such as Tools4ever’s E-SSOM offer effective solutions to these issues. Once a user has logged into the network, and logged on to their required applications, E-SSOM will remember the login credentials required for each applications/system and automatically log the user in thereafter, whenever the applications/systems are launched.
However, with the combination of PSM, there is no need for this process as PSM communicates directly with E-SSOM. When a password is changed in Active Directory, PSM will immediately ensure that all applications/systems receive and apply the new credentials, and will communicate the current password credentials to E-SSOM , which will then launch all applications and systems automatically.
The combination of these two solutions make login procedures even more efficient. Optimising user convenience and simplifying the process for system administrators when access to new applications have to be added to user accounts, and when applications/systems require users to frequently change their login credentials.
With the combination of the two solutions, time-consuming log-in procedures can become a thing of the past. End-user convenience can be at an optimum level, with increased workforce productivity.
Monday, 22 August 2011
UMRA & Migration
Many companies are apprehensive about implementing UMRA when they are in the middle of a migration process to an Active Directory (AD) environment. A common misconception is that the migration must first be completed before UMRA will work properly, another is that starting a different project during the process of migration might overcomplicate matters, and delay the project deadline. However, the truth is that UMRA assists migration both pre and post project and streamlines the process. Tools4ever provides indispensable project management expertise which speeds up the migration process.
There are two common migration scenarios. The first of which is domain consolidation -multiple AD domains being collapsed into a single domain. In this scenario UMRA is able to recreate the user account and, more often than not, retain the username in the new domain. In a situation where the migration results in the duplication of names, organisations can choose to implement new naming conventions.. UMRA will create a new user name and alert end users, via email, what their new username will be along with the date from which that name will be valid. .
Not only is the user migration process streamlined, but the resources of those users are as well including items such as group memberships and home directory data. As users are migrated UMRA will retain their group memberships, if one of groups doesn’t reside in the new domain UMRA will create it automatically. Home directory data can either be copied to a new server in the new domain or re-permissioned on the existing server with the SID of the newly migrated account.
UMRA also assists and eases the migration process by:
Eliminating Pollution-Most migration tools will copy 1:1 which will include erroneous and/or stale accounts. However UMRA migrates users by reconciling them against a HR/SIS system so that pollution is not included. Activity reports on un-used groups are generated so that these objects are not migrated.
Fill Attributes-When migration takes place there might be some missing information such as “title” or “Department”. UMRA automatically populates this information as needed.
There are two common migration scenarios. The first of which is domain consolidation -multiple AD domains being collapsed into a single domain. In this scenario UMRA is able to recreate the user account and, more often than not, retain the username in the new domain. In a situation where the migration results in the duplication of names, organisations can choose to implement new naming conventions.. UMRA will create a new user name and alert end users, via email, what their new username will be along with the date from which that name will be valid. .
Not only is the user migration process streamlined, but the resources of those users are as well including items such as group memberships and home directory data. As users are migrated UMRA will retain their group memberships, if one of groups doesn’t reside in the new domain UMRA will create it automatically. Home directory data can either be copied to a new server in the new domain or re-permissioned on the existing server with the SID of the newly migrated account.
UMRA also assists and eases the migration process by:
Eliminating Pollution-Most migration tools will copy 1:1 which will include erroneous and/or stale accounts. However UMRA migrates users by reconciling them against a HR/SIS system so that pollution is not included. Activity reports on un-used groups are generated so that these objects are not migrated.
Fill Attributes-When migration takes place there might be some missing information such as “title” or “Department”. UMRA automatically populates this information as needed.
Wednesday, 17 August 2011
What's in a password?
What’s in a Password?
Can password combinations put network security at risk?
A recent report* has shown that less than 1% of employee passwords are random sequences, with the majority of workers choosing simple combinations. These can easily be deciphered and therefore could put network security in jeopardy. For example, a startling 14% of passwords were found to be as basic as a first name and surname combination. e.g (JohnSmith)
The study also revealed more startling results:
• 8% of passwords contained place names – most included the area where the person lived or was born (LondonUK)
• 14% of passwords were purely numeric and in some cases consisted of consecutive numbers (12345)
• 25% of passwords were random dictionary words (computer)
• Another 8% or so were made up of keyboard patterns, short phrases, words within the email address, and repeating words (asdf, myblackcat, @apple, redred – respectively)
These results provide a concerning insight into how easily the security of networks can be breached, even when password complexity rules are put in place by system administrators. It also highlights the increasingly important role of identity management software in protecting businesses against these risks.
There are a number of solutions that can be put in place, one of which is two-factor authentication. This requires securing the primary login using a pass-card or biometrics. Users log-in by presenting a pass-card/biometric to a reader and entering a PIN code rather than the standard username and password. Combining a pass-card/biometrics and a PIN code ensures a much stronger authentication, minimising the possibility of a network breach.
Tools4ever’s Enterprise Single Sign On Manager (E-SSOM) offers full integration with all common two-factor authentication readers, such as HID, Mifare, Biometrie, Gridtoken, proximity-based devices and RFID readers. E-SSOM offers native integration with the driver software of the (card) reader and links the pass-card ID to the user credentials (username/password) in Active Directory. No additional software is required to create this link guaranteeing a user friendly and secure login for all users.
For more information visit http://www.tools4ever.com/products/enterprise-single-sign-on-manager/
*Source: The science of password selection by Troy Hunt
Can password combinations put network security at risk?
A recent report* has shown that less than 1% of employee passwords are random sequences, with the majority of workers choosing simple combinations. These can easily be deciphered and therefore could put network security in jeopardy. For example, a startling 14% of passwords were found to be as basic as a first name and surname combination. e.g (JohnSmith)
The study also revealed more startling results:
• 8% of passwords contained place names – most included the area where the person lived or was born (LondonUK)
• 14% of passwords were purely numeric and in some cases consisted of consecutive numbers (12345)
• 25% of passwords were random dictionary words (computer)
• Another 8% or so were made up of keyboard patterns, short phrases, words within the email address, and repeating words (asdf, myblackcat, @apple, redred – respectively)
These results provide a concerning insight into how easily the security of networks can be breached, even when password complexity rules are put in place by system administrators. It also highlights the increasingly important role of identity management software in protecting businesses against these risks.
There are a number of solutions that can be put in place, one of which is two-factor authentication. This requires securing the primary login using a pass-card or biometrics. Users log-in by presenting a pass-card/biometric to a reader and entering a PIN code rather than the standard username and password. Combining a pass-card/biometrics and a PIN code ensures a much stronger authentication, minimising the possibility of a network breach.
Tools4ever’s Enterprise Single Sign On Manager (E-SSOM) offers full integration with all common two-factor authentication readers, such as HID, Mifare, Biometrie, Gridtoken, proximity-based devices and RFID readers. E-SSOM offers native integration with the driver software of the (card) reader and links the pass-card ID to the user credentials (username/password) in Active Directory. No additional software is required to create this link guaranteeing a user friendly and secure login for all users.
For more information visit http://www.tools4ever.com/products/enterprise-single-sign-on-manager/
*Source: The science of password selection by Troy Hunt
IAM: David versus Goliath
IAM: David versus Goliath
Towards the end of 2010, Gartner published its ‘Magic Quadrant for User Provisioning’ report. In it, Gartner outlines its vision for Identity & Access Management (IAM) for the near future as well as associated trends
But does this mean you should do business with them?. The Magic Quadrant draws a distinction between leaders, challengers, visionaries and niche players. In the User Provisioning quadrant, the market leaders tower above all other players. These leaders include global giants such as Oracle, IBM, Novell and CA, yet other vendors are closely grouped inside other quadrants. This seems to suggest that this elite group have a clear monopoly in this sector.
I have noticed more often than not, that when companies start IAM projects with solutions from elite vendors, they use a high-grade product as the centrepiece, and build an IAM solution around it. They often try to create a utopia that requires intensive modification of the IAM solution. They start by automating organisational processes (workflow management and RBAC) and then automate IT procedures for user account management across the network. The problem with this is that automating organisational processes is very difficult, and imputing the required authorisation information in an RBAC system is even more daunting. Also, organisational changes are bound to occur during the course of the project due to long lead times. As a result, these projects are often abandoned after a substantial investment has been made, or are only partly taken into production.
Therefore selecting a vendor belonging to this ‘elite group’ does not necessarily lead to a successful IAM project –something Gartner acknowledges in its report. Elite vendors often use heavyweight project structures and impose a large number of conditions. Gartner notes that far too complex approaches tend to run IAM projects aground.
Gartner also highlights various issues, scenarios and requirements that an IAM vendor should cater for. Going against the norm, niche player Tools4ever, meets all these requirements. Its success can be attributed primarily to the following aspects, which correspond to the key factors identified by Gartner:
- The responsibility for the implementation is not divided between the vendor and implementation partner. For years Tools4ever has maintained that the success of an IAM implementation is determined by the skills and expertise of the IAM consultants involved and cannot be left to the implementation partner.
- A phased approach: One of the key elements of Tool4ever’s methodology. By splitting up IAM projects into various smaller subprojects, slow progress can be prevented and solutions can be provided in number of days as opposed to the industry norm of weeks. IAM cycles can often be split up into steps, each of which will yield tangible results.
- Modularity: The technical solutions have a modular set-up that simplifies further development. This means preliminary results are achieved rather than endpoints.
- Flexibility: The IAM cycle usually starts with streamlining the current operation. Optimising existing processes will free up time and resources to focus on the next steps.
- An end-to-end portfolio: Tools4ever offers customers an end-to-end portfolio of solutions that have proven their worth in our customers’ production environments. Tools4ever is also just as proficient in the role of part supplier.
Thanks to Tools4Ever’s approach, virtually all projects are successful. Customers now find themselves in a situation where they can easily cater for future IAM trends or the next phase in current trends.
So, just like the age-old fable of David and Goliath- the underdog can come out on top. As long as they’ve got the right tools.
Friday, 18 March 2011
Two-factor authentication
Tools4ever’s Self Service Password Management has always been available with a web interface, in order to allow users to reset their Active Directory passwords from an intranet or via the web. On the basis of a number of simple, predefined questions end-users can reset their password. Although this has been widely adopted in mostly educational establishments, some form of two factor authentication has been requested by many of our corporate customers.
On the 18th of February we released SSRPM Security Module, which adds two-factor authentication via email. Two-factor authentication (TFA or 2FA) means using two independent means of evidence to assert an entity's identity to another entity.
When a user logs onto the Active Directory domain for the first time following an SSRPM deployment, as well as answering a question set configured by the administrator, they will also be asked to supply a private email address. If an end user should subsequently forget their password, they can answer the challenge questions in the standard way. However, before they can reach the final stage and submit a new password, they must first enter the PIN emailed to their private address. This scenario illustrates the basic parts of most two-factor authentication systems; the "something you have" + "something you know" concept.
When a user logs onto the Active Directory domain for the first time following an SSRPM deployment, as well as answering a question set configured by the administrator, they will also be asked to supply a private email address. If an end user should subsequently forget their password, they can answer the challenge questions in the standard way. However, before they can reach the final stage and submit a new password, they must first enter the PIN emailed to their private address. This scenario illustrates the basic parts of most two-factor authentication systems; the "something you have" + "something you know" concept.
Two-factor authentication secures the web interface already. But we intend to extend this even more by enabling the forwarding of PINS to mobile phones by SMS. Watch this space for further information!
Tuesday, 15 March 2011
Keeping Active Directory Clean
One of the issues that frequently arise, especially in larger organization, is the need to provide contractors, consultants and temporary employees with access to network resources and email. The concept of automating the lifecycle by integrating with a Human Resource system breaks down because these types of employees are rarely entered there.
We have solved this dilemma numerous times for companies by implementing a web-based workflow. The hiring manager access an internal web page and completes the relevant information - name, department, type of employee, expected length of service, etc. Once the form is submitted, the IT or helpdesk can review the information and process it automatically. An email is delivered back to the hiring manager with the username, email address and initial password.
The key element here to keep AD clean is the expected length of service date. As that date approaches a notification can be delivered to the manager asking if the date should be extended. If yes, the manager clicks on a link in the email and can enter a new end date. If no, the process automatically disables the user on the last day of service. A manger can also be given an option to disable or terminate immediately if the person has already left.
After sitting in a disabled status for a period of 60 to 90 days, the record can automatically be purged from AD. Implementing a process like this saves time, potential licensing costs and increases security all while making life easier for the OIT department.
Tuesday, 8 March 2011
Manage Outlook Office Assistant without direct access to the mailbox
A common situation in organizations: an employee is ill and absent for a long period of time and his/her Outlook Assistant is not activated. Result: e-mails are not answered, poor service and angry customers.
Because of data protection, it is not possible to turn on the Outlook Office Assistant without direct access to the mailbox. Another employee must be aware of the login credentials of the absent worker to read e-mails, forwarded e-mails and turn on the Outlook Office Assistant.
That can create an insecure situation. However, this situation can be easily resolved with Out of Office Manager Tool (OOMT) by Tools4ever, http://www.tools4ever.com/products/out-of-office-manager/.
With OOMT, administrators or helpdesk personnel can turn on Outlook Office assistant wizard without logging into the mailbox of the user. This task can also be delegated to departments, even without additional admin rights.
It is also possible to integrate OOMT in Tools4ever’s User Management Resource Administrator (UMRA) in order to make a connection with the HRM system of the company. The HRM system keeps up with employees that are sick, on vacation or on business trip, and when an employee leaves the organization. Thanks to this integration UMRA can automatically install the Out of Office Assistant and also forward e-mail so they can be answered.
Professional handling of email traffic in your organization is guaranteed.
Tuesday, 18 January 2011
Active Directory, Controlled Assessment & UMRA
Traditionally, schools and colleges use UMRA to keep Active Directory up to date, either by reading information from a CSV file, or by dynamically connecting UMRA to their pupil information system such as SIMS, CMIS or SITS.
Part of Tools4ever's Identity Management Suite is UMRA Forms, a secure interface to quickly and accurately manage the life cycle of a user. However, when a school links Active Directory to their student information system, all student account changes are automated, with no need for manual intervention. This negates the requirement for UMRA Forms.
However, a couple of months ago we were approached by Adrian Edgar of Culford School in Suffolk with an interesting problem regarding controlled assessment. Adrian creates exam accounts for pupils, with home directories shared in the normal way to each user. In the home directory he creates a series of "Exam" folders, which the pupil should only access during a Controlled Assessment session. As a boarding school, the pupil may need to use their exam account outside of a controlled assessment period, so enabling and disabling the account as required is not a suitable solution.
What Adrian really required, was a way to control NTFS permissions on the exam folders within the home directory for each account. So, Tools4ever built a simple interface, delegated to teaching staff, that switches access to the exam folders on and off at the click of a button.
Now Adrian has shifted the tedious task of controlling exam accounts back to teaching staff. More importantly UMRA is logging every action to keep the auditors happy.
You can read more from Adrian on his blog here
Subscribe to:
Posts (Atom)