eControl for Mixed Networks Aldo Zanoni B.Ed., B.A. CEO, Managing Director Omni Technology Solutions Tel: +1 780-423-4200 [email protected]Web-based, “ZERO Rights” Delegated User Account Management, Account Creation and User Self-service eControl for Mixed Networks GWAVACon presentation October 18, 2008
47
Embed
EControl for Mixed Networks Aldo Zanoni B.Ed., B.A. CEO, Managing Director Omni Technology Solutions Tel: +1 780-423-4200 [email protected] Web-based, “ZERO.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
eControl is a web-based, “ZERO-Rights” delegated, enterprise user account management, provisioning tool and user self-service for users of Novell eDirectory, GroupWise and NetMail; Microsoft Active Directory and Exchange systems and Lotus Notes* and OpenLDAP*.
eControl delivers an immediate return on investment.
It enables an enterprise to efficiently and inexpensively implement secure user account management and provisioning services across multiple and mixed network operating systems and e-mail systems.
eControl relieves the pain caused by needing to use multiple applications to manage mixed and multiple Novell eDirectory, Microsoft Active Directory, Novell NetMail, Novell GroupWise and Microsoft Exchange systems.
eControl replaces iManager, ConsoleOne, NWadmin, Microsoft Management Console, Taskpads for help desk operators, junior administrators and delegated staff.
To fill gaps caused by exceptions to standard IDM managed processes.
As a perfect fit for companies that are too small or don’t have the need or resources to implement a full IDM solution.
Where there is an overlap between eControl and IDM, eControl can be used as a complementary “exception gap filler” to resolve the 10% problems that cause 90% of the challenges in IDM deployments.
US Government Department (2003) – 1,000 eDirectory and GroupWise accounts. Will expand to include 3,500 AD and Exchange accounts. IDM in planning. Our second customer.
Major Global Retailer (2006) – 70,000 accounts in IDM vault, 3,500 GroupWise and eDirectory accounts in production tree. Best-known customer.
Global Marketing Group (2004) – Started with 7,500 eDirectory and GroupWise accounts. Migrated from GroupWise to Lotus Notes last year. Now uses eControl to manage 30,000 accounts.
US State Government (2006) – 7,000 eDirectory and GroupWise accounts. First step in their strategy to consolidate 20 different GroupWise systems into a data centre.
Manufacturing Corporation (2002) – 5,000 eDirectory and GroupWise accounts. Expanded to a third production shift without adding any help desk staff.
Small Mortgage Company (2005) – 150 eDirectory and Exchange accounts. Smallest customer.
National Grocery Retailer Chain in Chile – Initial deployment of 2,500 Active Directory and Exchange 2007 (Total of 15,000 accounts).
County Government in California – 5,400 eDirectory and GroupWise accounts, 200 Active Directory and Exchange accounts. 5 separate eDirectory Trees share a single GroupWise system.
County Government in Michigan – 1,800 eDirectory, Active Directory and GroupWise accounts. Adding IDM in September.
US State Department of Correction - 2,500 accounts eDirectory and GroupWise
US Federal Government Department – 3,500 accounts for eDirectory, GroupWise and Active Directory
A fully integrated Identity Management solution is the Holy Grail of most companies. However, we know there are many companies, big and small that struggle with the “big” step processes involved in achieving a fully automated identity management and account provisioning solution.
For certain companies, achieving the IDM holy grail is more difficult and time consuming than expected.
In many cases, IDM implementations are similar to SAP in that the implementation involves an all encompassing, process-driven, multi-department, all impacting solution.
This difficulty is not caused by the technology. It is caused by the systemic complexity created by the multitude of access roles and rules that need to be defined to automatically manage access rights across mutliple systems as processes change.
eControl delivers an immediate solution to provide web-based, “ZERO-Rights” user account access administration and provisioning. It allows the IT manager and the security administrator to determine who can carry out what user account management tasks against which accounts.
eControl allows the CIO and IT department to focus on contributing to the company’s high-value business processes rather than having to be concerned with the administration of user access rights across multiple systems and related security issues.
eControl appeals to different and levels of decision makers because of intersecting and complementary objectives:
– CIOs look to improve the efficiency of IT staff allocation and allow highly-trained, scarce resources to focus on delivering business value through IT integration initiatives.
– CFOs look to implement cost containment strategies.
– CSOs look to to satisfy legislative or internal user account management and data access security requirements.
– Business unit managers and service desk managers look to increase user productivity and time effective user management change.
Cross-platform, multi-system, controlled and restricted interface to delegate standard account management tasks to Help Desk Operators and non-technical staff.
Help Desk Module allows managers or HR to be responsible or account enabling/disabling without any associated security risks
Delivers real-time user account management changes with full audit trail.
Significant time and cost savings in training non-technical staff how to use eControl. It takes 15 minutes to train a new Help Desk staff member!
They are responsible to ensure internal and external information and security compliance requirements are satisfied
eControl allows the removal of all trustee assignments, system rights, permissions and related user account access rights from the native operating systems
By completely removing trustee assignments and permissions from user account eControl allows Security Administrators to have 100% control over the security failure points on the system
eControl provides a complete audit log of all transactions - for everything from password changes to adding or removing a user from a group
– eControl delivers cost avoidance. eControl allows a company to not have to increase the number of IT staff to carry out user management tasks.
– eControl delivers significant cost reduction by making it simple for non-technical (less expensive) clerical staff to be assigned user account provisioning and administration tasks
– User self-service significantly decreases costs related to the number of password change and demographic change requests that would otherwise need to flow through a help desk environment
eControl enhances compliance with HIPAA, Sarbanes-Oxley and other security and privacy legislation through increased security and controls in the following areas:
– Authentication and Authorization: All system rights are removed from all accounts and replaced with explicit task assignments based on group membership.
– Configuration and Change Management: Only those users who have been authorized to carry out user configuration and changes are able to do so. All changes made by administrators in the eControl administration and configuration application are tracked and can be made available for audit. A record of all administration changes that are made is maintained so the state of eControl at any previous time can be determined.
– Segregation of Duties: eControl can be configured to ensure that no single person has rights to carry out access management and be responsible for auditing, initiating or approving incompatible activities in those systems.
– Documentation and Reporting: eControl's audit log and tracking strategies provide support for appropriate reporting on each participant's role and acitivites in the user management and account provisioning process. eControl keeps track of who did what, when. (See Sample Log.) Future enhancements to eControl will allow for non-technical resources and auditors to run web-based, ZERO-Rights audit reports to support Sarbanes-Oxley and other reporting requirements.
2/2/2006 10:20:01 AM;1021;GW Distribution List Membership Viewed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV; LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;HelpDesk
• Help Desk User Management (HD) – Provides Help Desk Operators with the ability to carry out the “TOP TEN” user administration tasks – in a web browser. NO rights required!
• Account Create / Manager (AC) – Allows HDOs to create users based on eControl profiles and Account Create templates
• User Self-Service / Self-Administration (USS) – Allows you to set which user fields can be updated or modified by a user in the web interface
• Contact Lookup (CL)* – Allows users to retrieve configured information from eDirectory (phone numbers, etc.)
• Sarbanes-Oxley Reporting (SOX)* – Allows “ZERO Rights” web-based access to security and audit reports by non-technical staff
1. Manage Account Password and Strong Password2. Enable / Disable User Accounts3. Manage Group Memberships4. Manage Exchange Mail Groups5. Release Intruder Lockout6. Create User Identification Information7. Manage Account Expiration Date
Provision accounts based on eControl Account Create wizard linked to eDirectory / Active Directory profiles (e.g., home directory, group memberships, email account and all other account information
Customizable user-required fields (e.g., first name, last name, middle initial, phone number, department, mobile number, etc.)
Creates user name based on specified naming convention and requires name to be unique across all configured systems
• Windows 2000 with IIS 5 or 6• Windows 2003 if GroupWise support not required• Security certificate for SSL • Microsoft Message Queuing (MSMQ)• Novell Client 4.9*• Novell GroupWise 5.x, 6.x or 7 Client*• MSSQL, MSDE or Schema Extension to provide
“forgot my password” self-service• MSSQL or MSDE for audit trail archiving• Novell NetWare*, OES*, SUSE Linux*, Windows• NDS Version 8.5 or any version of eDirectory• Any version of Active Directory
• Have department mergers or corporate acquisitions made your user account creation and management tasks cumbersome and complex?
• Are costs increasing and productivity decreasing due to the training required for Service Desk Operators to use a combination of ConsoleOne, NWAdmin, iManager, Microsoft Management Console or custom Task Pads?
• Terrified about the consequences of a Help Desk Operator or junior administrator hitting the delete key on the wrong object or accessing information they shouldn’t?
• Need to deploy user password self-service or user self-service for GroupWise in a multiple or mixed eDirectory, GroupWise, Active Directory or Exchange environment?
• Are you being asked to manage and integrate more complex systems with fewer resources?
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell,
Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market
a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.