The identity management system is a central part of any IT department. As long as it is working, few people will take notice of its existence and consequently, it is often not optimized to improve the quality of the system. With 16 years of experience in developing a central identity management (IdM) server solution, Univention identified ten steps on how to improve your IdM, no matter whether you are running your IdM on premises or in the cloud such as UCS on AWS. Let us go through them.
Table of Contents
Step 1: Take an Inventory of Your Applications + Remove Shadow IT
When thinking about our IT environments, we often think in physical terms and consider what servers, switches, and cables we have. Keeping an inventory of those is definitely a necessity and required by any accounting department. But usually we less think about doing the same for our software. It is especially true for any 'shadow IT' that might have grown outside the IT department. Only with a full list of software can you continue making significant improvements to your IT.
Finding your official IT services should be part of reading your documentation. For the shadow IT, it might not be as easy.
Our three favorite ways to determine the shadow IT products in use are the following:
- Ask your users! This is probably the easiest way to find out. This also gives you the opportunity to learn more about what services and tools they value and need most.
- Ask your accounting department for a list of vendors and scan them for IT service providers that provide you with services. The applications most often found here are planning and dashboard tools such as Trello.
- And if your company's policies and applicable laws allow, look at your firewall. If you have the option to export outgoing connections and sort them by numbers of connection, you should find out what your users are using. Most often you find consumer cloud services here. Dropbox and Box will most probably pop up here.
The overview of all applications in use you gain from this scanning process allows you to improve the set of applications offered to your users and will gradually reduce the shadow IT, which in turn will reduce overhead and improve security and stability.
Step 2: Create one leading Service
Between LDAPs, SQL Databases and online services such as login with Google there are numerous ways to manage your identities within an organization. In most cases, each application will have the option to maintain its user base and might have the opportunity to control other software as well.
Making an explicit decision which system should maintain the identities is an essential step in designing the system and ensuring that the leading system has all the information to control any application you can find.
Be sure, that your chosen system can control your applications. UCS, for example, has both OpenLDAP and AD available for your applications as well as numerous connectors for online services. All functions and tools available for UCS can be found in the Univention App Center.
After the decision, you focus on integrating the different systems one at a time. If you use virtualized systems, you might be able to create a copy of the involved servers to ensure that you have covered all the needed settings before applying them to the productive environment.
Step 3: Make Your Users more Comfortable
Most users are not particularly concerned about privacy and data protection. While management is often aware of their importance, users often relegate them to the second place behind their comfort. Thus when trying to make an impact by implementing a central IdM, the convenience it can bring to your users is often a critical tool for acceptance and success. Therefore, while "same user same password" policies might be sufficient to fulfill the requirements of the administrator or your strategy, only with a single sign-on system will you be able to convince your users that your services are better than any services they might be using at home.
Step 4: Minimize Your Work
Now, user comfort and app coverage are the essentials for the continued acceptance of your IdM. However, no management system is complete without a way to manage it. Having templates and reasonable defaults allows you to minimize the routine tasks of creating users and moving them to the respective department. If your system enables you to set defaults, great, make use of these. If not, you might want to look for a new system.
Step 5: Review Your Password Policies
Recommendations and possible requirements for password policies have changed. The National Institute of Standards and Technology has updated its documentation, and Section 5.1.1 provides an excellent (and free) starting point to see the up to date ideas on secure passwords. The up-to-date policies are not only a security consideration, but they also add right back into the user comfort. If you are still using 6 characters for three months, you might want to consider checking the new requirements. With the ever increasing computation power at ever lower prices, the recommendation goes to longer passwords for half a year or even longer. The less often you have to change the password, the more likely are the users to choose a reasonable complex password.
Step 6: Two-Factor Authentication
Industry espionage is not something that affects only large companies. Even mid-size and small firms are hit by it every day. One of the most common ways to get information is cracking passwords. Now a good password policy as mentioned beforehand can mitigate some of the issues. However, why not make 2018 the year you implement two-factor authentication across your IT landscape? Tools such as privacyIDEA and the YubiKey allow you to enable your users to use hardware-based authentication.
Step 7: Use Individual Administrator Accounts
Root and administrator are two very convenient accounts which you can find on your servers and workstations. They are readily available for your administrators and everyone will remember the name. Of course, if you forget the password, your colleagues all are happy to share it with you.
Individual accounts mitigate this issue. You have one account per administrator with its password and username. Naturally, these accounts should be different from the one used to log in from day to day work.
Step 8: Record Changes and Audit Changes
Separate accounts for administrators also allow you to log changes and monitor who changes which settings. Monitoring changes are not only significant for accountability but even more helpful when examining the future of your environments. If you see that one administrator always applies one parameter to a class of objects, you might want considering making it default.
Step 9: Review Server Settings
Most of us run their servers for a long time. Especially when using virtual machines and in place software updates, you might still be running software that you initially installed ten years ago. While this is great regarding efficiency, it also means that many of your settings might be in longer use longer than some of us have been working on that server.
Reviewing the default settings is often forgotten and it might be a good idea to look into the configuration to see whether there are any improvements needed.
Step 10: Off-Site Copies
Imagine your server room having an electrical issue and is not operational. Now as all your cloud services are getting their passwords from the server, your colleagues could not even take their laptops home as none of your cloud services are available.
Here is where an offsite server is helpful. If the server is far enough away from you, even a significant problem will not affect its operation. With cloud services from AWS and Azure, creating an offsite server is possible to create an offsite backup for few dollars per year.
More information on Univention Corporate Server as an example of an open and central IdM can be found in the following previous articles:
- Introduction To Univention Corporate Server
- Installation and Configuration of Univention Corporate Server
- Setup A Private Server With ownCloud, Kopano And Let’s Encrypt On UCS
Making improvements to your IdM will make your admin life easier and your overall IT more secure. By tackling small projects one at a time, you will be able to make these changes one by one and improve your IT continuously. While the effects of the above changes might not seem big in the beginning, each of them can make a consequential impact on your IT in the long run.