Identity Management Blog

We have all had to answer security questions for online banking, email, social media websites and the like. “What was your first pet’s name?” “What was the name of your best friend in the 1st grade?” “What is your favorite flavor of ice cream?” But what is the true purpose of these questions? When users need to reset their password, we have to rely on other methods to verify they are who they say they are. IT professionals everywhere put such a strong emphasis on maintaining strong passwords - they must be at least 12 characters, have upper and lower case letters, include numbers and symbols ...
Read More
*Keep it Simple, Stupid The National Institute of Standards and Technology (NIST) model on Role Based Access Control is a fascinating document (http://csrc.nist.gov/rbac/sandhu-ferraiolo-kuhn-00.pdf). It is loaded with explanations of many important basic RBAC concepts such as Separation of Duties, “permission-role review” that is effectively comparable to user-role review, non-specificity of ...
I was re-reading an oldie-but-goodie, Frank Villavicencio’s blog titled Top 10 Common Pitfalls of an IAM Initiative. For anyone who has been responsible for an enterprise system deployment, especially an enterprise IAM system deployment, the top 10 reads like the 10 Commandments.
In Part 1 of this series, we looked at how important it is to have documentation of what you expect your system to do and the value of making a plan. Now we want to take a closer look at writing the test cases, themselves.
Part 1 and Part 2 describe the evolution of our thought process as we become an IDaaS solution provider. In part 3 I provide the two more lessons that have helped us shape our approach. Do you really need to be that unique?
In part 1, I started by sharing two important lessons in our journey to becoming an IDaaS solution provider, namely avoid Cloudwashing and don’t forget about the on-prem apps. In part 2, we will focus on two additional lessons. Start with identity, not with SSO In  several occasions before, I have stated that Single Sign-On (SSO) should be the by-product of doing identity and access management ...
Before joining Identropy, I spent most of my career deploying and supporting large IAM programs for large companies. That is where I learned the importance of having a clearly stated strategy (that aligned with the business strategy) and an initiative roadmap. I instinctively knew the strategy and roadmap were essentials.
Over a year ago, Nishant Kaushik, our Chief Architect and well-known identirati, posted a blog, which I think is very relevant today. It focused on the notion that in order to truly accelerate identity management (IDM) deployments, effectively reducing customer’s time-to-value (TTV), one needs to focus on a limited set of use cases, and optimize the solution for a well-defined user audience.
A common approach by organizations on tight budgets has been to solve their Identity and Access needs with Active Directory (AD). While this approach has its advantages, it has many more disadvantages. AD has its place in almost any enterprise-computing environment, but as security and risk professionals, we must know where it belongs (and doesn’t belong) in an IAM strategy.
Here, we will continue the playbook items list that we started in part 2.