08.23.2018 - Gartner Magic Quadrant for Access Management, Worldwide

According to Gartner, “Niche Players provide access management technology that are a good match for specific use cases. They may focus on specific industries or have a geographically limited footprint/ however, they can actually outperform many competitors.” Optimal IdM is honored to be included in the Gartner 2018 Magic Quadrant for Access Management, Worldwide. We believe our placement affirms our unique offering that goes beyond what other vendors in the space provide, namely the choice of having a non-shared environment. Or, in other words, a private, dedicated, secure, single tenant for the IAM space. Optimal IdM solutions are highly customizable and offered as a fully managed service. Optimal IdM’s customization, innovation, and affordable monthly plans make it an ideal solution for growing organizations. Here are a few highlights of what to expect from Optimal IdM: ...

08.20.2018 - Troubleshooting Federation with Fiddler – Part 3 of 3 – Debug Oauth2 and OpenID Connect Federation Issues

Fiddler is simply the best tool to debug federation issues. Optimal IdM has just released a white paper on this which you can download from our website. This is part two of a three-part blog series on this topic. In part one we covered how to use Fiddler to debug WS-Federation issues. In part two we covered how to use Fiddler to debug SAML 2.0 federation issues. Here in part 3 we will cover how to use Fiddler to debug Oauth2 and OpenID Connect federation issues. OAuth2 and OpenID Connect define different grant types. Depending on the grant type the flow may consist of a mixture of web application and web service (REST) calls. The most commonly used grant is the Authorization Code grant. In this grant the user’s browser is used to make a web application authentication request after which an Authorization Code is returned to the web application. The web application makes a REST call to the IdP to exchange the authorization code for an Access Token and JSON Web Token (Jwt). If in the Authorization Code grant request you get an error on the Identity Provider, run a Fiddler trace reproducing the issue. Then look for a GET request to the IdP with the following URL parameters shown below. You can see the URL parameters by selecting the line in the request list and then going to the Inspectors -> Web Forms tab.  The URL parameters for the OAuth2\OpenID Connect authentication request are: ...

07.23.2018 - Manufacturers Need Industrial-Quality Access Control

Ideas about cybersecurity in the manufacturing sector have started to change, and it’s about time. Until recently, a common misperception among those in the industrial world was that that they had little to attract hackers—no credit card data, no health records, no bitcoin. But manufacturers do have data, and it’s immensely valuable — their trade secrets. Profit isn’t the only motivation for hackers many just want to cause chaos. There are plenty of reasons for hackers to attack manufacturing systems; the proof is that one out of three industrial control systems (ICS) computers were hacked last year (Kaspersky Lab, Sept 2017). That number seems daunting. Many industrial automation systems have only limited internet connectivity, if at all. But they are connected to their corporate networks, and that’s where the weakness lies. Only half of manufacturing businesses isolate their ICS networks from their corporate networks (www.ncms.org/CyberSecurityReport). The rest are the mercy of the same phishing, ransomware, and insider attacks as any financial or healthcare organization. One vulnerability that affects manufacturers in particular is poor security practices among their vendors. It just takes one weak partner to infect an entire supply chain. Hackers are efficient criminals; they conduct research using Lexis Nexis, LinkedIn, and even dumpster dive to learn what they need to know to launch the most effective attack possible against their target of choice. If they want to attack your business, they may learn who your vendors are, choose those they suspect to be the weakest¾which may be a mom-and-pop shop, or may be a larger business that has a reputation on the dark web as an easy takedown¾and breach the weak vendor in order to hop onto your network. Security professionals like to say, “Security is people.” The average worker at a bank or hospital is highly aware that their employer is a high-value target, so they are more cautious than those in other industries about clicking on links or opening attachments. The average worker in an industrial business may not be as guarded. Security awareness training is a step in the right direction, but not all workers will take it seriously. Even if every worker did keep security at top-of-mind, humans still make mistakes. It just takes one accidental click to open the door to malware. And once inside, it may make its way to whatever target its authors desire. That could be your trade secrets, or it could be the main controllers in your automation system. ...

07.5.2018 - Troubleshooting Federation with Fiddler – Part 1 of 3 – Debugging WS-Federation Issues

Fiddler is simply the best tool to debug federation issues. Optimal IdM has just released a White Paper on this which you can download on the left side of this page. This is part one of a three-part blog series on this topic. In this blog we will cover how to use Fiddler to debug WS-Federation issues. The URI for a relying party or identity provider may be in the form of a URL (such as http://my.test.com) or a URN (urn:my.test.com). URIs (both URNs and URLs) are case sensitive when used for Federation. For URLs in the form of URIs, every “/” is part of the name as is the protocol. When used as a URI the URLs http://my.test.com, http://my.test.com/, https://my.test.com, and https://my.test.com/ would all be considered different URIs. This often causes federation errors. After capturing the Fiddler trace look for HTTP Response codes with value 404. The response code is the second column from the left by default and a response code will typically be highlighted in red. If you see a 404 error, it is likely one of two reasons; 1) the URL is wrong and does not point to a valid location, or 2) the URL length exceeds that which the server can support. If you see a 404 error in the browser that does not show up in the Fiddler trace then that indicates the URL length exceeds the URL length limit of your browser. Browser URL length limits are vendor dependent. ...

05.22.2018 - Protecting Your Patient’s PHI Data (Part 1 of 2)

For healthcare, there’s never been a more urgent time to reassess your cybersecurity and identity and access management strategy. Until recently, protected health information (PHI) was the most valuable merchandise on the Dark Web. Complete healthcare records were going for $75 to $100 dollars at the height of demand according to Institute for Critical Infrastructure Technology (ICIT). In fact, there’s so much PHI on the market now that the ICIT says prices have plummeted by about half. But even at half-price, PHI can earn a hacker more than 10 times the price of financial data. PHI is desirable because it has a much longer shelf life than financial data. But the loss of PHI is not so easily discovered. Last year, ICIT reported that healthcare organizations took an average of 308 days to discover they had been breached. A hacker is looking for access to privileged accounts. If he/she gets them, then finding the breach becomes extremely difficult. Administrators have extensive abilities to cover their tracks. That’s why protecting privileged accounts and confidential data becomes a great starting point. Never under-estimate your cyber-enemy and malware. They are patient, and will likely suffer no ill consequences of getting caught. Let’s take a look at a few tactics they use to breach your data: ...

05.2.2018 - Know Your Credentials: The Other KYC Requirement

The way people want to interact with their financial providers has changed quickly in the past few years. Now, account holders want control over their funds, and they don’t want to jump through hoops to exert that control. They expect a streamlined customer experience that lets them accomplish their tasks quickly, and there are great rewards to be reaped by institutions able to meet those expectations. For example, according to PwC’s 2017 Digital Banking Consumer Survey, 46 percent of consumers do all their banking online, a percentage that will grow even larger as the first generation of digital natives—those graduating high school around now—enter their adult lives and establish relationships with banks and investment firms. A delightful customer experience isn’t the only purpose of good identity and access management. Financial firms need to meet Know-Your-Customer (KYC) requirements from many regulatory bodies in order to avoid hefty fines. These institutions may assume that meeting KYC and other regulatory requirements means their sensitive data is safe ¾ but that would be a mistake. Hackers aren’t the only threat to Personally Identifiable Information (PII) and other sensitive data. A financial organization’s own employees can present a danger as well. Insider threats take many forms. In rare cases, the employee is a thief who has actively sought access to parts of a core system they have no business accessing. In some cases, the employee is an opportunist who borrowed someone else’s credentials for legitimate reasons and then stumbled onto a trove of data that was too tempting to leave alone. But far more often, the employee is an unwitting pawn who’s fallen for a phishing scam or been socially engineered into sharing credentials with a con artist. Yet regardless of an intruder’s motivation or means, the results for the employer are the same: data leakage, brand damage, and regulatory penalties. ...

Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.