Tuesday 21 April 2009

Benelux Tivoli User Group - DAY 2

Because the user group rescheduled the agenda a bit, Peter Volckaert started with an introduction of IBM Tivoli Directory Integrator. I missed that presentation, but for the ones interested, following a link to the product site: http://www-01.ibm.com/software/tivoli/products/directory-integrator/.

And, finally, TCIEM development manager Michale Pintus and the product manager (grr … I can’t remember his name right now) gave the best of themselves explaining “Tivoli Security Information and Event Manager” in a nutshell. Until recently, companies were focusing on how to protect themselves against threads from the outside world. Because of a growing number of incidents (fraud, data loss…) initiated from inside the network, the demand for software addressing such issues became an urge.
TCIEM is comprised of two products:

1. TCIM or Tivoli Compliance Insight Manager: TCIM helps managing the billions of log file entries in a fast and efficient matter. Using an easy dashboard, one can easily gain an overview saying the environment is compliant with the security strategy in place. Using the same dashboard, an administrator can easily investigate a users’ activity, tracing security issues…

2. TSOM or Tivoli Security Operations Manager: Where TCIM is focusing on gathering information from log files, TSOM gathers real-time operational events coming from firewalls, ips-systems… TSOM also comes up with a dashboard showing security issues in real-time and serves as a launchpad to grave deeper into security issues.

Both the products are translating the complex log-data to an easily understood language, through the W7-methodology (Who, did What, When, Where, Where from, Where to and What). This data is made available through the dashboard, where further investigation is possible by clicking on the topic.

TCIM and TSOM are very closely tightened to each other; TSOM-data can easily be imported in TCIM where it is made available through the dashboard via the W7-methodology.

For those who know CARS (Common Auditing and Reporting System): on middle-term, this will be replaced by TCIEM.

And finally, we rounded up the second day with a presentation given by Guido Van Nuffelen about “Experiential Communications Management”. What it was all about? Well, Guido started his presentation by showing two short movie fragments: one of the legendary A-team, one of “Sex and the city”. After showing these, he raised a question asking what both the movies had in common: the number four. And, what he meant with that number: it seems that every good team is made up of four participants: an executer, a dreamer, a thinker, a decider. Any other combination will probably end-up in a mess: e.g. a team of 4 dreamers will bring up many ideas, but no one will be able to make it effectively working …

To summarize: the event was pretty informative, it gives the ability to get in touch with other products within the Tivoli-family and not less important … if the event is not planned during a vacation period … you do have the chance to get in contact with potential clients and IBM-people.

Benelux Tivoli User Group - DAY 1

Last week (16th and 17th of april) the 2-day taking spring edition of the “Tivoli User Group Netherlands” (Tivoli User Group Nederland, www.tggn.nl) took place in the Antwerp conference center “Elzenveld”, sponsored by IS4U. Well, because TGGN has expanded to Belgian and Luxembourg since the start of 2009 the half-yearly meeting is now called “Benelux Tivoli User Group” … which was the most significant announcement of Chairman Derk Yntema during the welcome.

Before starting with the usual parallel sessions, as “Director of Strategy for IBM Tivoli Software Brand” Don O’Tool gave a nice presentation about the strategy IBM would follow concerning the Tivoli-branded products. Next to improving and extending the current Tivoli-product basis, “green”-thinking really starts to play a major role.

The next IBM-representative, Steve Anderson, came up with a relatively short presentation about services and support where the following items were the most important ones: the differences between a standard and premium support contract, the different possibilities available for requesting support (ESR, Chat,…). And last but not least, IBM-support people now do have the possibility to log in remotely to the customers site to examine a problem in real life which saves the customer of gathering the bunch of data needed when creating an ESR.

As mentioned earlier, the program was based on three tracks: “Green”, “Employee Life Cycle Management” and “Virtualization”. As an IS4U-employee, mainly involved in TIM/TAM-projects, I decided to attend the second track.

Peter Volckaert, technical Tivoli Security sales specialist, did open with a presentation about the new “Tivoli Security Policy Manager” (http://www-01.ibm.com/software/tivoli/products/security-policy-mgr/) offering “security as a service”. Using Policy Manager, dynamical fine-grained authorization towards applications and web services becomes easy manageable. In fact, the software supports the full policy lifecycle management: author, transform, enforce, monitor. To address the client’s needs, Policy manager comes in two offerings:

1. Security Policy Manager for Application Entitlements: Application owners can externalize authorization and audit from their application code.

2. Security Policy Manager for SOA: Application owners can externalize the security policy protecting their web services. Besides, this solution easily integrates with the WebSphere SOA-appliances (Datapower).
Policy Manager is completely based on open-standards making it easily working with third-party software supporting those standards.

Next, in two successive sessions, the asset management tool “Maximo” (http://www-01.ibm.com/software/tivoli/products/maximo-asset-mgmt/) was explained (the user group played a bit around with the agenda). In the earlier years (read: before the acquisition of IBM) MRO’s Maximo was only focusing on not IT-related operational asset management. As more and more assets are touched by technology MRO and IBM came together to address this issue, finally ending in IBM adding Maximo to the Tivoli portfolio. One session was mainly focusing on how to use Maximo within the scope of “Employee Lifecycle Management”, where the other session was more related on how to use it in “managing IT and non-IT Assets”:

1. Employee Lifecycle Management: e.g. streamline the process to follow when an new employee starts working at a company, make sure he/she gets his company car if appropriate, does the user needs a cell phone and order one if necessary, make sure the user does have the necessary accounts created, … Make sure a retiring user hands over all its assets the moment he/she leaves, …

2. Managing IT and non-IT assets: e.g. streamline the processes at a helpdesk, based on the answers given by a user; a solution is given without the intervention of a helpdesk employee.

One important question was: isn’t there a remarkable overlap with ITIM (Identity Manager); the answer was more are less fuzzy.

As a last topic on this first day, Michael Ravelingien gave a very clarifying demo on Encentuate’s single sign-on solution (also strong authentication) (http://www-01.ibm.com/software/tivoli/products/access-mgr-esso/), acquired by IBM somewhere in March 2008. It was pretty astonishing to see what the possibilities of that package are, remember … once up a time with Passlogix (but it could run as standalone application). According to a Gartner report, the support of the latter will continue for another two years (dated 14th of March 2008) while IBM is preparing a migration to Encentuate-based solutions. The tool has the possibility to work in a shared or private workspace within a Windows environment, where there is a performance profit when choosing the first option. The second option is security-wise a better option because of each user has its proper context. Furthermore, RF-badge authentication is supported out of the box, possibility to close user windows when switching from one user session to another … great tool as soon kiosk pc’s (e.g. hospitals) are appearing into the picture!

We ended up our first day with a dinner in the restaurant, sitting next to Steve Anderson … really a nice guy!

Tuesday 14 April 2009

WebSEAL and OpenSSO; combining the best of both worlds

WebSEAL enthousiasts will tell you that this reverse-proxy solution is of top quality and offers customers a great deal of flexibility. On the other hand, they would have to admit that it requires development effort to integrate it with other (stronger) authentication modules than the four authentication modules it ships with.

OpenSSO enthousiasts will tell you that the free OpenSSO product is of top quality and offers customers a great deal of flexibility and authentication modules out-of-the-box. On the other hand, they would have to admit that one has to build its own reverse-proxy solution with it.

If only there was a way to create a synergy between these two market leading products ... Enter the WebSEAL External Authentication Interface (EAI). This WebSEAL feature allows customers to delegate the authentication process to a third party component. Using OpenSSO as the External Authentication component is like a perfect match. OpenSSO supports a vast number of authentication modules right out-of-the-box like Active Directory, SAML, SecurID, InfoCard and even biometric systems, to name a few. Furthermore it can be deployed on a WebSphere application server and last but not least; it's free!

At IS4U, we put this into practice and wrote a whitepaper about it. It's freely accessible. Feel free to distribute our whitepaper to whom it may concern and provide us with feedback.