Information technology is expanding within the business world immensely. For the success of your business, one of the key requirements is the effective IT governance. There are numerous frameworks available to manage the Information Technology within an organization, and COBIT is one such framework that aligns your IT strategies with business strategies. It narrowly focuses on security, risk, management and governance.
Secured Socket Layer (SSL) is a protocol which provides the secured way of communication between the client and server with the help of the certificates. When using Apache Tomcat as a server for the deployment of SailPoint, the data that we are dealing with is sensitive in nature. With the help of Self Sign certificates, we can secure Sailpoint IdentityIQ which is hosted on tomcat server without the need of certificate authority (CA).
1 . Creation of Self Sign Certificate
Step 1: Open up the command promptContinue reading
SailPoint Version : 7.0, 7.1
Unable to request a new account for existing identity from Manage Accounts in SailPoint IIQ.
Firstly we need to check the Lifecycle Manager Configurations, navigate to Lifecycle Manager and in Configure tab Search for Manage Accounts options :
Applications that support account only requests : Select all applications check box or specified application according to your requirement.
Allow Manage Accounts Additional Account Requests : Enable
Allow Manage Existing Accounts : Enable
Allow Account Only Requests : Enable
–> If you are using higher version of SailPoint 6.4 then you will face problem in finding these 3 options to enable them.
Solution 1 :
For that you need to edit init-lcm.xml and import it again in iiq console. (This will effect pre-existing workflows and LCM Configuration. So, to avoid that follow Solution 2).
Follow these steps and pictures shown below for editing init-lcm.xml (Solution 1)
Step 1: init-lcm.xml is present in ~identityIQ/WEB-INF/config/init-lcm.xml location. Make a copy of it and place it in a safe folder.
Now open init.xml and search for Manage Accounts under QuickLink tag.
Carefully observe 3 entries under Manage Accounts tag.
Step 2: Make few changes by enabling this options manually from false to true 3 times in Quicklink Manage Accounts tag as shown in the picture below.
<entry key=”allowManageAccountsAdditionalAccountRequests” value=”false” />
<entry key=”allowManageExistingAccounts” value=”true” />
<entry key=”allowAccountOnlyRequests” value=”false” />
After editing : <entry key=”allowManageAccountsAdditionalAccountRequests” value=”true” />
<entry key=”allowManageExistingAccounts” value=”true” />
<entry key=”allowAccountOnlyRequests” value=”true” />
Step 3: Now save it and import it in iiq console. By using command import init-lcm.xml. After importing observe following changes.
Step 4: Request Account option is available (Issue Resolved). Choose the application for account request. Submit the form.
> Just for Reference in SailPoint 7.0 it will look like this as shown in the picture below.
Step 5: Confirm Account Action . Click Confirm at the end of the page.
Solution 2 :
You can get same results by configuring through Debug Pages.
Step 1: Go to Debug Page > Select object QuickLink from dropdown list. Choose Manage Accounts.
Step 2: Follow same Step 2 in Solution 1.
Step 3: Request Account option is available (Issue Resolved).
Traditionally, all developers deciphered a product, by understanding the Entity Relationship model of the product’s database schema. This approach was the quick and easiest way to understand any product.
A similar approach is tried in deciphering SailPoint IdentityIQ, an Identity Governance solution from Sailpoint. The presentation envisages to give the audience a thorough understanding of the product, not from the API perspective, but from a database model perspective.
Sailpoint’s Identity IQ has some key objects like Identity, Application, Bundle etc. There are many dependent objects. Most of the key objects are covered comprehensively in the presentation.
Mis-utilization of access controls in any system has been an age old problem. Such mis-utilizations lead to serious scandals similar to Enron and MF Global in USA and Satyam scandal in India. Also they would lead to serious internal losses in the organization which could have been prevented with an identity management solution in place.
The exploitation in access controls have grown to great extents that heavily stringent laws to be followed by every organization like SoX and HIPAA have been enforced. The prime objectives of these laws is to strictly assess access control in an organization to ensure that best practices are followed to make sure access control is not misutilized.
Identity management is the domain which would help the organizations solve most of the problems related to access control that could be solved by proper authentication, authorization and accountability.
Identity management solves these problems by strictly monitoring the life-cycle of an enterprise identity. Identity management solutions automate the processes of joiner, mover, leaver (which are the various phases of life-cycle of digital identity).
To monitor the JML process , identity management solutions follow various mechanisms through which CIA is actually achieved. The following are the mechanisms that are followed :
Maintaining and updating the identity repository :
An identity repository or identity vault is a huge collection of all the digital identities and a mapping of various access controls to each digital identity. It serves as base to any identity management operations.
Identity repository is created as a very first step of any identity management solution. This simply means that we have track of all the employees in the organization, their access controls to various organizational resources. Identity vault is very regularly updated to keep track any changes in the digital identities as well their access controls.
Provisioning / De-provisioning Automation :
Provisioning is the process of providing additional access controls in the organization. De-provisioning is the process of removing or disabling an access control for the resource. Both the processes are automated using the attributes or properties of an identity. For example, you may decide on a few access controls based on an employee’s designation attribute as an ‘IT-Manager’.
However, automation of provisioning and de-provisioning solely based on the identity’s attributes becomes highly complex. For easier management, identity management solutions use RBAC ( Role based access control ). As part of RBAC, virtual entities called roles are created, membership in which can lead to access to various resources. Now, the identity attributes are used to assign the memberships in these roles, thus reducing the complexity.
Process implementations :
Every organization has its own way of doing things. Hence it has its own processes that are internally followed to achieve. Similarly, there are processes that are related to the access controls. We digitally define such processes so that they could be automated . As a subpart of the processes, multiple series and parallel approvals can take place.
Certification is a mechanism through which periodic monitoring of access controls take place. Access controls of various identities are forwarded to reporting identities where reporting identities can review the access.
Data Archival strategies :
Even with the best of the practices, there will be a need for archiving the data. Identity management solutions also aim to archiving the past data that will not be useful in running the current state of solution.
While all the above mechanisms give a robust and secure system, it would be a lot convenient to have various reports based on the data present with the identity management solutions. For example, SOX reports could be pulled out of the identity management solution very easily based on the access control data available with the solution. Also the reports would be helpful in making various business decisions internally.
The world as we know has changed dramatically. With the infiltration of personal devices and plethora of applications which collect an individual’s data with/without his/her cognizance have made enterprises, especially government services vulnerable to data loss and its consequences. However, none of the new age ways of working might not be curbed anymore.
The prudent way to step ahead into future shall be to adopt ideas like BYOD, BYOI, Work from Home, Social media enablement into the work culture and let the workforce take the advantage of delivering better. While we adopt, so do we implement the Modern way of Information security.
Data and individual are mutually dependent. Thus protecting the way and means of how data is being accessed by individuals helps solve the jigsaw.
If BYOI may be implemented very well, it helps enterprises track the way an identity acts either in the enterprise or the rest of the world wide web. Social media access has become a huge threat where information might be cross its boundaries in stealth mode. The following steps are prescribed for a safe implementation of BYOI/D methodologies.
- Ensure every door opened technically has an authorized owner and there is strict accountability associated. This is technically possible.
- Ensure zero identity loss by eliminating passwords as much as possible. Passwords are a menace.
- Adopt techniques like biometrics, thermal scanning, retinal scans etc for high privileged accesses.
- Ensure all social identities are published. Audit for the unpublished identities.
- Have robust frameworks built for Mobile device management. These frameworks should be at application layer level on every device ensuring highest level tracking and auditing
- Build application development frameworks to ensure zero vulnerability in code.
- Last but not the least, educate everyone on social engineering, phishing and other fraudulent techniques.
Conduct periodic checks/audits to validate all identity related information.