Quest IAM Challenges

sier!
ing Everything Ea Ma k
dition Quest Software E
ercoming Ov allenges IAM Ch
Compliments of
Kevin Beaver Jackson Shaw
Overcoming IAM Challenges

FOR
DUMmIES
QUEST SOFTWARE EDITION
by Kevin Beaver and Jackson Shaw
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Overcoming IAM Challenges For Dummies Quest Software Edition ,

Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright 2011 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on our other products and services, please contact our Business Development Department in the U.S. at 317-572-3205. For details on how to create a custom For Dummies book for your business or organization, contact info@dummies.biz. For information about licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com. ISBN: 978-1-118-10545-0 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
How This Book Is Organized .................................................... 1 Icons Used in This Book ............................................................ 1
Chapter 1: Overcoming Identity and Access Management Challenges . . . . . . . . . . . . . . . . . . . . . . . .3

Dealing with a Multitude of Identities ..................................... 4 Managing Lots of Manual Tasks ............................................... 5 Remembering All Those Passwords ........................................ 6 Getting Your Arms Around Disparate Systems and Applications .................................................................... 7 Balancing So Many Roles ........................................................ 10 Managing All of the Complexity ............................................. 12
Chapter 2: Ten Benefits of Quest One for Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . .15
Getting to One Password ........................................................ 15 Getting to One Identity ............................................................ 16 Managing Privileged Accounts Securely ............................... 16 Achieving Single Sign-on ......................................................... 18 Streamlining Provisioning ....................................................... 18 Improving Role Management.................................................. 19 Using Multifactor Authentication .......................................... 19 Making Users Happy ................................................................ 20 Handling Identity Administration More Efficiently ................ 21 Knowing What Users Are Doing ............................................. 22
Publishers Acknowledgments
Were proud of this book and of the people who worked on it. For details on how tocreate a custom For Dummies book for your business or organization, contact info@dummies.biz. For details on licensing the For Dummies brand for products orservices, contact BrandedRights&Licenses@Wiley.com. Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Media Development Project Editor: Linda Morris Editorial Manager: Rev Mengle Business Development Representative: Melody Layne Custom Publishing Project Specialist: Michael Sullivan Composition Services Project Coordinator: Kristie Rees Layout and Graphics: Carrie A. Cesavice Proofreader: John Greenough Special Help: Brian Underdahl
Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Director, Acquisitions Mary C. Corder, Editorial Director Publishing and Editorial for Consumer Dummies Diane Graves Steele, Vice President and Publisher, Consumer Dummies Composition Services Debbie Stailey, Director of Composition Services Business Development Lisa Coleman, Director, New Market and Brand Development
Introduction
re you ready to tackle identity and access management for your enterprise? Would you like to improve efficiency, enhance security, and also tackle thorny compliance issues? If so, youve come to the right place. Overcoming IAM Challenges For Dummies, Quest Software Edition, shows you how to use Quest One Identity Solution to manage administrative access. Youll see how the right identity and access management solution can save you money, improve your security, and result in happier users.
How This Book Is Organized

This book is divided into two chapters: Chapter 1, Overcoming Identity and Access Management Challenges. Chapter 1 discusses the problems organizations have with identity and access management. You see that users have to deal with too many identities, IT has to handle too many manual tasks, and the whole existing system is simply too complex. Chapter 2, Ten Benefits of Quest One for Identity and Access Management, presents 10 different ways that Quest can benefit your enterprise.
Icons Used in This Book

This book uses the following icons to call your attention to information you might find helpful in particular ways. The information in paragraphs marked by the Remember icon is important and therefore repeated for emphasis. This way, you can easily spot the information when you refer to the book later.
Overcoming IAM Challenges For Dummies

The Tip icon indicates extra-helpful information.
Paragraphs marked with the Warning icon call attention to common pitfalls that you may encounter.
Need more?
This book was excerpted from Identity & Access Management For Dummies, Quest Software Edition, done on behalf of Quest. If youd like a copy of the full book, which describes the Quest One Identity Solution in greater detail, please contact your Quest representative or contact Quest directly at www.quest. com/IAMbookregistration or 1-800-306-9329.
Chapter 1
Overcoming Identity and Access Management Challenges

In This Chapter
Dealing with a multitude of identities and manual tasks Getting your arms around disparate systems and applications Managing all the complexity
n recent years, enterprise networks have evolved from relatively simple configurations to complex user environments made up of diverse operating systems, applications, and databases. Add demanding users (especially those mobile types you never see) who want things now, and its enough to make your head spin. But all is not lost. You can get your arms around managing your user identities by utilizing identity and access management tools. Sounds simple, huh? Well, its not that straightforward. Identity and access management presents many difficult, complex, and expensive challenges. These challenges increase the cost of doing business, reduce efficiency, adversely affect your profitability, and unfortunately, they continue to grow. In this chapter, we look at some of those challenges to give you a clearer picture of the problems and the solutions.
Dealing with a Multitude of Identities

Todays enterprise has many complex and diverse information systems. Gone are the days of a single, ultra-secure system that could be accessed by a select few employees. With the proliferation of the personal computer and networking, the number and types of systems that are accessed and the number of employees who must be granted access have grown exponentially. Whats an IT manager to do? You could, of course, simply open the doors and let everyone have access to everything no matter how sensitive or vital the information and systems might be. But, in todays world of government and industry regulations, security and compliance issues dictate that you need to control who has access to each of those vital systems. Its also clear that different people have different access needs across different areas of the business. If you dont manage those needs wisely, youve got an information systems free-for-all. For example, all office employees are likely to need e-mail access, but only a few should have access to payroll records. As a result, you have to deal with controlling multiple identities for each of your users so that they can access what they should but not have access to what they shouldnt. The mere fact that authentication (proving the user logging in is who they say they are), authorization (granting that user appropriate access to resources), and administration (managing the whole process and lifecycle of the identity) must be controlled for every identity for every user in the enterprise creates the majority of identity and access management challenges. When each system or platform in an organization functions autonomously with its own authentication, authorization, and administration practices and policies, each user may need to have dozens of identities to access all the systems he or she needs. Who signs up for that? As an example, an organization with ten separate systems could have Ten passwords per user that must be individually managed Ten places to set up and manage user accounts processes referred to as provisioning (establishing user acounts, rights, and group membership), re-provisioning
Chapter 1: Overcoming Identity and Access Management Challenges

(maintaining user accounts throughout their lifecycle), and de-provisioning (revoking access when a user is terminated or leaves) Ten separate directory services to manage Ten sets of policies to enforce Ten places to audit for access control
These many different identities, passwords, policies, and so on bring a level of complexity that gets in the way of maintaining control of your resources and costs. The parent book to this e-book, Identity & Access Management For Dummies, Quest Software Edition, discusses the Quest One Identity Solution answers to these problems.
Managing Lots of Manual Tasks

Managing user passwords, provisioning users, enforcing policies, and auditing access are all fairly simple and straightforward tasks that almost any IT person can easily handle. But each of those tasks takes time to perform and when they must be performed manually on each and every system for each individual user, the burden becomes too much to handle. Looking back at our example of an enterprise with ten different systems, imagine how much time would be required for something as simple as a group of ten employees transferring from their current positions into different departments where each person had a new set of responsibilities. Depending on the specifics, you could be looking at up to 1,000 individual manual tasks (10 users x their 10 identities x the 10 different systems they use = 1,000 changes to make) simply to handle those ten transferring employees. Is it any wonder that the people working in IT dread answering the telephone? Time is the most precious asset of IT professionals. Its also the scarcest resource. Highly-paid IT staff shouldnt get bogged down performing tedious manual tasks that could otherwise be automated. Quest One offers a number of solutions that simplify and reduce the number of tasks that need to be performed manually. Chapter 2 gives you a quick overview of a number of these solutions.
Remembering All Those Passwords

Passwords are everywhere. They are, in fact, the most common form of network authentication. But passwords are used for more than simply allowing a user to log onto the network; theyre also used to control access to mail systems, databases, files, and applications. In many cases, passwords are everywhere they shouldnt be. Who hasnt seen a user with a password written on a sticky note on the side of their monitor? If the password isnt on the side of the monitor, its probably written on a note right inside the top desk drawer. Better yet, why even have a password at all? They merely serve to get in the way of users accessing Facebook, shopping online, and doing the other shenanigans people carry out on their work computers. Joking aside, some users do think this would be the ideal way to work no security to get in their way. Sadly, many users have management on their side and are able to pull off such a scenario. The folks in IT have their hands tied. Why are users so careless with their passwords? Actually, there can be several reasons: Passwords can be hard to remember. Users are often required to have many different passwords in order to access the multiple systems they need to use to do their jobs. Users generally dont understand the need to protect their passwords or the consequences havent been clearly spelled out. Calling the help desk for a password reminder or reset can be a hassle. In order to make passwords as effective and secure as possible, most organizations implement policies that control how passwords are formatted; common policies include requiring a mix of characters (letters, numbers, and symbols), requiring a minimum password length (eight characters is a common requirement), and so forth. Given the chance, most users would rather use a much simpler password such as their

pets name or their birthday because those are a lot easier to remember. Passwords also have a lifecycle: They are created and typically last 60 to 90 days before they must be changed. Policies that dictate that users cannot reuse previously used passwords also increase the difficulties that people have in remembering their current passwords. Just because best practice dictates that passwords should be changed every 60 to 90 days doesnt mean its right for your environment. Based upon your businesss unique risks and other circumstances, you might decide to allow for a longer password term and force changes more often only when you suspect a password breach or other user accountability issue. Such an approach can greatly simplify identity and access management.
When users do forget their passwords, system policies often lock them out of their various accounts after a couple of failed logon attempts. When this happens, the user usually has to call someone to get a password reset. Not only is this call a waste of the users time, but it also results in increased support costs. Analysts estimate that a single call to a help desk for a password reset costs at least $20 and thats not taking into account the lost productivity for the user! Organizations need a better way for users to deal with passwords if they want to keep these costs in check. Quest One has the solutions that can reduce the hassle of usernames and passwords to a much more manageable level.
Getting Your Arms Around Disparate Systems and Applications

Organizations often have many different systems and applications (sometimes too many!), each with their own requirements for things like usernames and passwords. In addition, these different systems and applications may have many different ways of adding users. Your IT staff (or, in some cases, another person in the organization) has to understand each

of these systems and applications and their requirements in order to properly assist the users. Take a look at some of the different types of systems that are typically found in the enterprise today. These systems can include any of the following, each with its own purpose and access requirements: Windows systems: Microsofts server operating system, Windows Server, and its key authentication mechanism, Active Directory (AD), house a high percentage of the user identities at the vast majority of enterprise organizations. Unix and Linux: Many organizations also run Unix or Linux systems. Typically, these systems run enterprise applications and databases that either pre-date the dominance of Windows, or have been deemed to run better on the Unix or Linux platform. Macintosh: Many organizations also run Macintosh as the desktop choice for a portion of their user base. These users may be isolated from the dominant AD identity infrastructure. Legacy systems: Although growth has slowed, the importance and proliferation of mainframe and mid-range systems are still significant. Typically, these systems are vital to successful operations both because of the critical nature of the data and processes they house and because replacing them with Windows or Unix-based systems is out of the question. The different systems may run many different applications, including Enterprise applications: Heading the list of missioncritical applications are those known as enterprise applications. Examples of enterprise applications are ERP (enterprise resource planning) systems such as SAP, Siebel, and others; financial applications; and human resources applications such as PeopleSoft. Often, either by necessity or choice, these applications run on Linux or Unix, whereas the main desktop computing platform is Windows. Access to these applications must be highly controlled yet extremely flexible.
Databases: The backbone of all these platforms and applications is the data. Oracle, DB2, SQL Server, Sybase, and other databases may support any of the previously listed applications. Other applications: Beyond enterprise applications, an organization may have any number of additional critical applications to address its unique needs. Whether these applications are industry-specific, home-grown, or custombuilt by outside developers, they often include built-in access control options that may not integrate with the mechanisms of the underlying operating systems and other applications. Access to these applications may be hard-wired or Web-based, and it may be restricted to specific employees, open to all employees, available to partners, or even include customer-facing components. Many enterprises have grown organically adding platforms and applications when needed without consideration to the additions long-term impacts on the other systems. Each system functions as an island unto itself without integration or interoperability with the rest of the enterprise, which can have some adverse side effects. Dont misunderstand what were saying, though. Certain islands, such as those in the South Pacific, are wonderful just not these types of islands. This is especially true when it comes to user identity and access. The implications of having so many different requirements for the disparate systems and applications are easy to guess increased costs and the likelihood that errors will occur. For example, a user who moves to a different department or leaves the company may not be removed from all of the organizations systems, resulting in security or compliance issues. Such oversights create the perfect scenario for attracting the attention of those pesky auditors. Quest One can help you bring the problems of dealing with so many different systems and applications to a manageable size. We go into more detail about Quest Ones solutions to these problems in Identity & Access Management For Dummies, Quest Software Edition, the parent book to this e-book.
10
Balancing So Many Roles

The many different systems and applications used in a typical enterprise also result in individual users being tied to many different business roles in the organization. For example, someone might be an ordinary user with limited rights on one system, but they might require elevated rights perhaps even administrator-level rights in order to perform their duties on another system or application. In addition, the disparity of systems often means that the same role is defined and executed separately from system to system with no correlation across the diverse environment. A user may be defined as an analyst on three separate systems, but the analyst role is different on each system and they are in no way related to one another. With the advent of compliance regulations like the SarbanesOxley Act (SOX) and the intense scrutiny they place on access to business-sensitive applications, organizations can no longer rely on numerous manual provisioning processes to maintain compliance. Add to that the need to tightly delegate access management control among various administrative groups, provide self-service capabilities to users to lighten the IT burden, and involve key people in IT processes through change approval, its no wonder that todays administrators need help. Regulatory compliance is a perfect example of why a wellplanned identity and access management system is needed. Compliance is a driving force behind many if not most security expenditures and provides the automation, visibility, and control you need to make it all work. In an effort to achieve compliance and security objectives, many organizations are looking to implement role-based access control (RBAC), an approach used to restrict system access to authorized users based on their roles within the organization. RBAC requires thorough and universal role management and organizations implementing it must answer specific questions: who can act in a particular role, who authorized that assignment, under which conditions is the role performed, how are policy and policy conflicts identified and resolved, what entitlements are associated with the role, and so on. In other words, organizations must decide how roles relate to business processes and implement the appropriate practices or technologies to achieve RBAC.
11
Identity and access management processes and technologies allow you to focus on roles instead of people, ensuring that the concept of business need-to-know meaning users have a legitimate business reason to access the systems and information theyve been granted access to that oh-somany regulators and auditors like to quote becomes a reality. Bridging the gap between current practices, policies, compliance requirements, and business needs through the execution of RBAC can be a difficult and troublesome undertaking. Organizations need a way to consolidate and coordinate enterprise roles and associate those roles with the appropriate access rights, workflows, policies, permissions, and attestations. In addition, the ongoing management of a diverse and non-correlated set of roles can undercut the effectiveness of a role management strategy. An ideal solution to help take the pain out of role management has the following attributes: Empowers you to establish roles based on your business processes and the way your company operates Provides you the capability to automate role management processes efficiently and securely ensuring effective RBAC Firmly establishes a hierarchy of permissions within those roles to granularly address all administration and access activities Streamlines the administration of roles over time including modifications to roles themselves, movement of individuals within and among roles, as well as the addition of new roles and access points as your business evolves Empowers you to accurately and efficiently associate roles with resources for effective access control driven by business processes Associates existing business processes and policies with roles (new or previously established) to arrive at the correct stance for maximum security, compliance, and administrative efficiency Quest One solutions can help you automatically provision, re-provision, and, more importantly, de-provision users quickly, cost-efficiently, and securely. Quest One can provide strictly enforced role-based security, automated group
12

management, a multi-level workflow designer and Web interfaces for self-service to achieve practical user and access lifecycle management for the Windows enterprise and beyond.
Managing All of the Complexity

Ultimately, the whole struggle with identity and access management comes down to too much complexity. Getting things done takes too much time, requires too many different steps, takes too many different sets of skills, and is too costly. If weve learned anything about information security over the years, its that complexity is the enemy. The more complex your environment is, the more painful and more difficult it is to gain some semblance of security. Weve gotten to a point where information systems complexity has a direct impact on productivity, visibility, and security. Its a business problem that must be addressed. The typical approach to this complexity is to impose a management layer on top of everything so that you have one common place to do the things you need to do to keep everything under control. No, were not referring to draconian rules or Big Brother tactics on the part of your HR department. Instead this management layer is intended to address the security, efficiency, and compliance needs of the enterprise using policy, technology, and education to foster some function in your business. Often, however, the end result is a system that is difficult to understand, almost impossible to control, and costly to maintain. Its easy to assume that throwing management-mandated rules and technical controls at a problem is the solution to all things security-related. In fact, its quite the opposite. Rather than serving the business, such controls often get in the way of doing business negating their intended benefits. Quest One solutions take a different approach than this added management layer. The Quest One approach helps you to reduce complexity as much as possible by taking a get to one attitude. That is, rather than dealing with many identities spread across any number of different systems and applications, Quest One helps you come as close as possible to a single identity. Table 1-1 illustrates how the Quest One approach differs from the traditional ways of dealing with identity and access management (IAM) challenges.
13
Table 1-1
Task Employee starts
Simplifying Real-World IAM Problems the Quest Way

Traditional Approach Enter in HR HR contacts IT IT provisions in AD IT provisions in SAP IT provisions in Oracle IT provisions in Unix (x50) IT provisions for remote access IT provisions multifactor authentication Quest One Approach Enter in HR, which automatically provisions to AD, Unix, Linux, SAP, and remote access
Employee logs in
Once for AD Once for SAP Once for Oracle Once for Unix (x50)
Single sign-on
Employee forgets password
Call help desk for AD Call IT for Unix Call IT for Oracle Call IT for other applications
Self-service password reset
Employee needs remote access
Non-secure login Repeat for each resource
Secure login based on AD role and protected through reverse proxy Web single sign-on
(continued)
14
Table 1-1 (continued)

Task Employee changes jobs Traditional Approach Enter in HR HR contacts IT IT re-provisions in AD IT re-provisions in SAP IT re-provisions in Oracle IT re-provisions in Unix (x50) IT re-provisions for remote access IT re-provisions TFA IT needs to see whats going on Audit AD Audit Unix (x50) Audit SAP Audit Oracle Cant audit some (root activity, Web-based access, and so on) Audit AD (and everything pulled into AD) Keystroke logging of root activities Audit of remote access Viewed through a single portal interface Quest One Approach Change in HR automatically re-provision to AD, Unix, Linux, and all others through
Much of the difficulty in identity and access management is rooted in the diversity of the systems, applications, and platforms within organizations. When users have many disparate identities across systems, efficiency, security, and compliance often suffer. The Quest One solution for IAM empowers organizations to get to one with their identities and associated tasks. By implementing the Quest One solution, organizations improve efficiency, enhance security, and achieve compliance.
Chapter 2
Ten Benefits of Quest One for Identity and Access Management

In This Chapter
Getting to one password and one identity Managing privileged accounts securely Streamlining provisioning Unifying roles with identity intelligence Using multifactor authentication Handling identity administration more efficiently Knowing what users are doing
n this chapter, we look at ten benefits your organization will discover by following the Quest One Identity Solution approach to identity and access management all of which can lead to more efficient IT management and reduce business risks.
Getting to One Password

Quest One starts to address the managing strong passwords doesnt have to be complicated issue with Quest Password Manager. Quest Password Manager enables end users to reset their own password and synchronizes that password across multiple platforms and applications.
16

Quest Password Manager supports a broad range of platforms and applications in addition to Microsoft Active Directory (AD) to create a unified approach to password management. Through Quest Authentication Services, organizations can actually reduce the number of passwords to manage and centralize self-service password resets on Unix, Linux, Mac, and Java systems through a single AD password. Quest Enterprise Single Sign-on provides a single point of user login/authentication to virtually any system and application that cannot be joined to AD. This includes standard username/password logins as well as the entire range of strong authentication options such as smart cards, biometrics, or one-time passwords (OTP). The result of the Quest One approach to password management is improved efficiency, increased security, and enhanced compliance.
Getting to One Identity

Quest Authentication Services enables a high number of nonWindows systems (specifically Unix, Linux, and Mac) to participate as full citizens in AD. As a result, those systems are no longer required to use individual user identities for authentication and can instead authenticate with the single identity that already exists in AD. For Java applications, the same benefit can be achieved through Quest Single Sign-on for Java. This approach to unifying identities in an already deployed directory results in dramatic gains in efficiency as user accounts need only be provisioned and managed in one place for multiple systems. Security and compliance also increase as stricter policy, and more secure practices can be implemented in one innately secure directory instead of across multiple, disparate systems.
Managing Privileged Accounts Securely

Privileged accounts that is user accounts with a high level of authority present a unique set of management
Chapter 2: Ten Benefits of Quest One for IAM
17
challenges. These accounts are typically shared between several users, which can lead to mismanagement or worse, abuse of privileges. On Windows systems, administrators have much greater control over the access that is granted to individual users. Quite simply, Windows systems offer a granularity of control that is lacking in Unix and Linux systems. On Windows systems, you can use Quest ActiveRoles Server to implement strictly enforced role-based security or granular control over exactly what administrative users are able to do and which resources they can access. ActiveRoles Server helps you achieve and sustain regulatory compliance by implementing secure, automated and auditable internal controls over granting and revoking access to network resources. Quest also empowers you to have the same level of control in Unix and Linux systems. Quest Privilege Manager for Unix enhances security by protecting the full power of root access from potential misuse or abuse through fine-grained, policy-based control. Unix systems pose a special risk to the enterprise because of the virtually unlimited power that root access gives an administrator. You need a way to control this power while still enabling users to have the access they need. Privilege Manager helps you to define a security policy that stipulates who has access to which root function, as well as when and where individuals can perform those functions. It controls access to existing programs as well as any purposebuilt utilities used for common system administration tasks. With Privilege Manager, you dont need to worry about someone deleting critical files, modifying file permissions or databases, reformatting disks, or damaging Unix systems in more subtle ways. By enabling administrators to define fine-grained security policies, delegating common management tasks and logging all Unix root activities down to the keystroke level, Privilege Manager for Unix reduces security risks, increases IT productivity, and enables organizations to achieve and sustain compliance in a cost-effective manner.
18
Achieving Single Sign-on

User logins and the associated problems with multiple logins across many diverse systems is a major source of inefficiency and insecurity for most organizations. Quest One helps address these challenges through a comprehensive suite of single sign-on (SSO) solutions that increase efficiency, enhance security, and help you to achieve compliance. Quest Authentication Services and Single Sign-on for Java enable a high number of systems and applications to authenticate with a users AD password, the AD credential, and controlled through AD security policy. This true single sign-on approach covers Unix, Linux, Mac, Java, SAP, Siebel, DB2, any application that uses pluggable authentication application programming interfaces (GSSAPI), any application that is Kerberos-enabled, and applications that are LDAP-aware (lightweight directory access protocol). For systems that are not equipped to leverage AD authentication for true single sign-on, Quest offers an AD-based enterprise single sign-on solution. Quest Enterprise Single Sign-on empowers users to log on to any system or application with only a single password entered into AD. With Enterprise Single Sign-on, all subsequent, non-AD logons are performed automatically under the covers by the solution. Only Quest One offers the best of both worlds: true single sign-on and enterprise single sign-on for the ideal blended approach to perhaps the most prominent challenge in identity and access management.
Streamlining Provisioning
Quest One helps you control your identity management universe and creates a single point of administration for identities across the enterprise, eliminates redundant efforts, reduces errors, and saves time. For example, a single provisioning action in AD can take care of users in Unix, Linux, and Mac systems that have become unified with AD through Quest One solutions. Similarly, turning off that single user account in AD immediately terminates access across the same wide range of non-Windows systems. Quest One also offers solutions that
19
are not centered around AD. Enterprise-wide provisioning capabilities are available through Quest One Identity Manager and implement a foundation for all provisioning actions without requiring heavy amounts of custom coding. The bottom line is that with fewer places to perform provisioning actions (as well as re-provisioning and de-provisioning), you can benefit from increased efficiency in your identity administration, a higher level of security as human error is reduced, and elevated compliance as de-provisioning is accelerated and more securely controlled.
Improving Role Management

Quest One helps you unify roles to arrive at a single, authoritative set that can affect the entire enterprise. This approach infused with identity intelligence means that roles and how they impact access can be implemented and controlled based on your business needs not the capabilities (or lack of capabilities) built into your existing identity and access management solutions. With roles unified, the associated critical concepts of rules, policy, workflow, and approvals can also be unified. Similarly, the intelligence offered by the Quest One approach ensures that each of these controlling factors does the right thing for user access without custom coding. This approach also provides dynamic adjustment and the ability for those on the front lines end users and line-of-business personnel to drive identity management.
Using Multifactor Authentication

Quest One Defender leverages the ubiquity of AD and its scalability, security, and compliance to provide a multifactor authentication solution that takes advantage of, the corporate directory already in place. Defender has been architected to integrate fully with AD. This integration leverages all the advantages of the centralized management of directory information, through a common,
20

user-familiar interface. User token assignment is simply an additional attribute to a users properties within the directory, which makes the security administrator more efficient. Defender authentication can be used by your employees, business partners, and customers, whether they are local, remote, or mobile. Whether they require remote access through VPN to key applications, wireless access points, network operating systems, intranets, extranets, or Web servers, Defenders strong multifactor authentication ensures that only authorized users are permitted access. With integration with Quest Authentication Services, a single Defender token secures access not only for Windows systems but for Unix, Linux, and Mac as well. Defender offers self-registration: Hardware tokens can be distributed to individuals without the need for identity association and tracking. Self-registration significantly lowers deployment and administration costs. Defenders ZeroIMPACT migration strategy allows organizations to undertake a gradual migration to Defender from an incumbent strong authentication solution. Defender supports a unique security proxy feature that enables you to deploy it alongside your existing one-time password (OTP) solution. Quest Defender authentication tokens are shipped to customers ready to use and have no preprogrammed expiration they last as long as the battery lasts (typically five to seven years). Once again, you save time and money because less work is required and replacement tokens can be purchased less frequently.
Making Users Happy

Users hate waiting on the phone to talk to the help desk. Heck, many dont even like calling the help desk at all! Quest One can help by providing a variety of self-service capabilities. From password resets to updating personal information, and from requesting system access to approving requests from staff members, the Quest One approach to identity and access management is optimized to accelerate efficiency, relieve IT from unnecessary and tedious involvement, and get the work

in the hands of those who understand the objectives of what they are trying to accomplish.
21
For example, self-service password reset helps improve productivity for users who are on a different schedule than your help desk or those calling during off-hours. By having access to an automated, 24x7x365 password reset and account unlock interface, users can continue to be productive, rather than being locked out until the help desk opens up in the morning.
Handling Identity Administration More Efficiently

Quest ActiveRoles Server can help you automatically execute some of the most time-consuming identity administration tasks. It empowers you to provision, re-provision, and deprovision Active Directory users quickly, cost-efficiently, and securely. ActiveRoles Server helps you keep up with requests to create, change, or remove user access to various network resources so that you no longer need to rely on manual provisioning processes to maintain compliance. This is especially important with the advent of compliance regulations like the Sarbanes-Oxley Act and the intense scrutiny they place on access to business-sensitive applications. ActiveRoles Server provides practical user and access lifecycle management. ActiveRoles Server automates user and group provisioning lifecycle tasks to reduce your administrative workload and increases user access control whether the user is a new hire, intra-organization transfer, or termination. The power of Quest One for identity administration doesnt stop at AD. Synchronization technology, identity intelligence, and consolidation of identities enables Quest One solutions to securely and efficiently perform administrative actions for the entire enterprise beyond AD. The addition of powerful, identity intelligence-driven administration capabilities available through Quest One can enable you to implement the foundation for all identity administration actions (including provisioning, role definition and management, and password
22

management) enterprise-wide without the burden of lots of custom coding and difficult-to-manage connectors.
Knowing What Users Are Doing

Understanding user and administrator activity is at the heart of a secure and well-managed infrastructure, but knowing what users do with the access they have to critical network resources has been a challenge to IT organizations. Quests ChangeAuditor addresses all of these concerns in heterogeneous environments. ChangeAuditor enables you to securely collect your event data, keep more data online, report intelligently, and improve system security and performance. ChangeAuditor alerts you in real-time to unusual user, administrator and system activity. ChangeAuditor also offers alerts that can be sent directly to you by e-mail or to third-party monitoring applications. Quest Reporter provides automated discovery and comparison of configuration-related items to support planning, securing, and auditing. Reporter enables you to collect, compare, report on and resolve Active Directory and Windows-based configurations. Armed with this information, you can quickly make strategic and tactical security decisions that involve your Active Directory and Windows environment. Reporter supports effective knowledge management and informed decision making, ensures proactive security, improved standards and policy compliance, and improves migration planning. The capabilities of ChangeAuditor and Reporter extend beyond AD to Unix, Linux, and Mac systems that have become full citizens in Active Directory through Quest Authentication Services.

Quest IAM Challenges

Uploaded by

Copyright:

Available Formats

You might also like

Quest IAM Challenges

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Quest IAM Challenges

Uploaded by

Copyright:

Available Formats

sier!

dition Quest Software E

ercoming Ov allenges IAM Ch

Kevin Beaver Jackson Shaw

Overcoming IAM Challenges

QUEST SOFTWARE EDITION

by Kevin Beaver and Jackson Shaw

Overcoming IAM Challenges For Dummies Quest Software Edition ,

Chapter 1: Overcoming Identity and Access Management Challenges . . . . . . . . . . . . . . . . . . . . . . . .3

How This Book Is Organized

Icons Used in This Book

Overcoming IAM Challenges For Dummies

Overcoming Identity and Access Management Challenges

Overcoming IAM Challenges For Dummies

Dealing with a Multitude of Identities

Chapter 1: Overcoming Identity and Access Management Challenges

Managing Lots of Manual Tasks

Overcoming IAM Challenges For Dummies

Remembering All Those Passwords

Chapter 1: Overcoming Identity and Access Management Challenges

Getting Your Arms Around Disparate Systems and Applications

Overcoming IAM Challenges For Dummies

Chapter 1: Overcoming Identity and Access Management Challenges

Overcoming IAM Challenges For Dummies

Balancing So Many Roles

Chapter 1: Overcoming Identity and Access Management Challenges

Overcoming IAM Challenges For Dummies

Managing All of the Complexity

Chapter 1: Overcoming Identity and Access Management Challenges

Simplifying Real-World IAM Problems the Quest Way

Employee forgets password

Self-service password reset

Employee needs remote access

Non-secure login Repeat for each resource

Overcoming IAM Challenges For Dummies

Table 1-1 (continued)

Ten Benefits of Quest One for Identity and Access Management

Getting to One Password

Overcoming IAM Challenges For Dummies

Getting to One Identity

Managing Privileged Accounts Securely

Chapter 2: Ten Benefits of Quest One for IAM

Overcoming IAM Challenges For Dummies

Achieving Single Sign-on

Chapter 2: Ten Benefits of Quest One for IAM

Improving Role Management

Using Multifactor Authentication

Overcoming IAM Challenges For Dummies

Making Users Happy

Chapter 2: Ten Benefits of Quest One for IAM

Handling Identity Administration More Efficiently

Overcoming IAM Challenges For Dummies

Knowing What Users Are Doing

You might also like