Thursday, March 29, 2018

CA SiteMinder - Drawbacks

Common to all Single Sign-On products that have been out there in the market for the past 10 years, most provide agent-based solutions. 

Agent-based solutions have been working like a charm. But they have been a pain operationally.

  1. Cost of Agent management grows as the deployment grows
  2. Application owners and developers concerned about time to deploy
  3. Need to coordinate with application owners for upgrades

These are very true points from our experience deploying multiple large-scale SSO solutions in the past.

One of the workaround is not to deploy agent on every application server. Instead, deploy a Reverse Proxy farm (RP farm). This is a centrally controlled farm with Apache HTTPd server with agents deployed.

Of course, bad points aside, there are benefits to having agent-based solutions.

  1. Broad application coverage
  2. Security
  3. Scalability


Thursday, March 22, 2018

AliCloud ECS Web Hosting

I have been playing a bit of Tencent Cloud and Ali Cloud lately due to some projects in China. 

And I was experimenting how easy it is to host a sample web site on Ali Cloud. It should be a 5-mins job. It took longer for me last night.

I kept hitting into this error - "This site can't be reached".

I ssh into the server and found there wasn't any iptables enabled. The Apache HTTPd daemon was up and running. 

I just couldn't figure out why. I google for some clues.

Pretty good documentation here from Alibaba Cloud documentation team. (Yes, pretty surprised! The English was good.)


The steps by steps were clear and concise. It made me look like a clown for not being able to make my sample website work!

I had no choice. I paid 1 year upfront, so I must get value out of it. I raised a support ticket and while I was waiting for a response, I came across a sub-menu "Security Groups". No harm taking a look.

Bingo! The "firewall" is not configured within the server via the iptables. It is to be configured via the ECS console.

I added a new rule to accept Inbound HTTP 80 traffic and that did the trick!

What's the point of documenting so much when the essential point is not covered?


Friday, March 9, 2018

Identity Governance of Unstructured Data

I received an email from SailPoint this morning. It has just published a white paper on how to secure access to unstructure data. 

It examines each of the organizational and technical barriers to securing unstructured data and provides practical advice on how IAM managers should respond to this risk. It explains how identity governance can be extended to better secure unstructured data to meet privacy and compliance requirements.

So far, there are only 2 products that can govern unstructured data. 1 from SailPoint (I think they bought over a product called WhiteBox). The other is One Identity Manager - Data Governance.

Identity Manager - Data Governance Edition protects your organization by giving access control to the business owner rather than the IT staff. The business owner can grant access to sensitive data. With the Identity Manager restricted access functionality, you define access policies for your organization. You have the power to analyze, approve and fulfill unstructured data access requests to files, folders and shares across NTFS, NAS devices and SharePoint, ensuring that sensitive, unstructured data is only accessible to approved users.

The primary targets are Windows Shared Folders/Files, especially within SharePoint.

I know there is already a project on-going in Australia that adopts Identity Manager - Data Governance Edition. Wishing them a successful implementation!

In my opinion, Data Governance is quick to win (for Sales), but very hard to exit (for Implementers).

Will I take this up? :)


Friday, March 2, 2018

Gartner Magic Quadrant - IGA 2018

The latest Gartner Magic Quadrant is out. Congrats to the One Identity folks! They have made it to the Leaders quadrant (from Challengers last year). 

In the trip to Bangkok in February for One Identity APJ UNITE Partner Conference, I was sharing with the marketing folk that we need more effort in creating awareness for One Identity IDM. We all know One Identity IDM is selling like hot cakes in Australia, for years. It's well known there down-under, but not in the Asia region, even though many would agree this is a pretty good product.

I like its architecture when compared with Oracle and CA.

With this latest announcement, let's make in-road to Asia!