yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Computing
Conference & Expo
November 2-4, 2009 NYC
Register Today and SAVE !..

2008 West
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
Red Hat
The Opening of Virtualization
User Environment Management – The Third Layer of the Desktop
Cloud Computing for Business Agility
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Return on Assests: Bringing Visibility to your SOA Strategy
Managing Hybrid Endpoint Environments
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
How Can AJAX Improve Homeland Security?
Beyond Widgets: What a RIA Platform Should Offer
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
In many cases, the end of the year gives you time to step back and take stock of the last 12 months. This is when many of us take a hard look at what worked and what did not, complete performance reviews, and formulate plans for the coming year. For me, it is all of those things plus a time when I u...
The Secret Sauce of User Provisioning
Key lies in integration with other infosec capbilities

If you want the secret to user provisioning and de-provisioning in an enterprise setting, I’ll give you the one word answer, and then you can get on with the rest of your day…


However, if you need to know why, how and with on.

The need to credential authorized users to your network and other proprietary assets is clear. You only want those with the proper rights in…and all others out. Complicating matters is that there are so many users these days…employees, channel partners, contract employees, suppliers, vendors, customers, prospects--all needing some sliver of access. Further muddying the water is that each of the mentioned user types are not all equal. Consider employees. Do you want your junior admin assistant to have access to payroll information or other files type specifically aimed at senior executives? The volunteer coordinator at a local branch of a national non-profit may need social media access to spread activity messaging, but probably doesn't need the log in credentials to ServiceNow.

In ancient days, you gave the key to the crown jewels to one trusted sentry. And only death would part this sentinel from his sacred duty of protecting the most precious assets of the kingdom.  However, that ruler never ran a successful multi-national, multi-brand enterprise with thousands of moving parts all needing to access to portions of those precious assets in order to perpetuate that success. The overarching problem is not only maintaining the sanctity of the assets, but providing an enforcement policy that simplifies the complex tangle of provisioning (and de-provisioning) and creates seamless and orderly access for users at a manageable cost.

Too many companies ride the razors edge with overly open networks and permission protocols. Even with firewalls and intrusion detection security, if you give out the keys to the kingdom like candy, you’re bound to suffer high dentist bills!

So you have all these moving parts; all these competing needs; and time, of course, is a premium. Provisioning is the process that creates user identities and gives them access privileges to your network. Best practices (and many compliance regulations) dictate that that access be awarded based on role. This gives IT the control it needs to differentiate predetermined user needs. Each department, division, franchise, partner sees the files and applications it needs to see for the purpose of achieving organization. And that’s it.

To ensure provisioning is streamline, you need to make sure the process is automated. So when a new “account” is created (from Active Directory, LDAP or various native SaaS directories), existing rules push the identity out and regulate access to applications and data quickly and without costly IT intervention. This is especially important when you have an organization with autonomous elements like branch offices, franchises and disparate memberships.

The same goes for de-provisioning. Imagine you buy a house, but you let the previous owners keep a set of keys. De-provisioning makes certain that doesn’t happen. And automatic de-provisioning ensures that happens at the moment of employee termination, contract fulfillment, service cancellation or any other separation. Your HR person or contracts administrator can notate the status change, and through a workflow process engine, the “keys” have been handed in and all privileges to network assets cut off. As data leakage and data theft are some of the biggest threats to an enterprise, this process instantly reduces the risk.

Now what was that about integration?

Up to this point, everything I described is part of most identity management packages. And there are many vendors who can supply it on premise or from the cloud (again based on your organizational need). But, what most identity management packages lack is the ability to automatically integrate with other security pillars; most notably, access management (which controls such things as single sign on). Now there are solution providers and managed service providers that offer both; and in fact, you may have both deployed somewhere on your network. But the secret sauce is unless you have customized your configuration, a unified solution doesn’t really exist.

However, it does currently exist as an out of the box deployment from the cloud. Most enterprises today have a myriad of applications-some based in the cloud, some on premise, some home-grown legacy solutions. And your IT landscape is not static. What is needed is something flexible and scalable to keep up and match the changing demands.

Why? Putting the obvious arguments as cost-savings, and the expansion of immediate and available expert resources aside, let’s concentrate on one that directly impacts security: agility and visibility to respond and protect assets. Separately, identity credentialing and access management control unique-yet-related domains of the security environment. Each requires separate administration with no requirement to leverage information with the other. This leads to potential organizational disconnect (the old chestnut of the right hand doesn't know what the left is doing). The vulnerability gaps created from this oversight can affect everything from compliance to the usage of unsanctioned materials to the unsupervised access of important assets and theft of sensitive information.

However, by centralizing user management under a “single pane of glass,” one create usage context and trackable continuity. If you simply provision to a network, you don’t gain the control over SaaS applications. By incorporating them into single-sign on, IT successfully winnows the possibility of a user moving outside their sphere of security.  Don’t want a user to access Spotify while logged onto your network? If provisioning gives them access to a browser on your IP address, SSO can prevent the usage by removing availability. And user names and passwords for the multiple of SaaS apps (both SAML and non-SAML federated)? An integrated deployment can synchronize and manage all the passwords form any internal or external app or membership-centric web destination (and self-service can reduce direct IT involvement).

In terms of integration, there is one more layer to true unified security. By incorporating SIEM and log management to the mix, you truly increase the strength of your security initiatives. This creates true situational context if monitored in real time. For instance, an alert is generated if an attempt to log-in to a de-provisioned account is tried. Or if a log-in is attempted outside the confines of the approved SSO log-in. Or, for good measure, someone successfully logs in and tries to modify, copy or change a protected asset. This unified approach to security really does enhance the visibility. It won’t stop the attacks from occurring, but should prevent them from doing any damage.

In that I advocate this package of solutions being deployed from the multi-tenant cloud,  I truly believe they are they are not simply affordable by any sized company, but with the benefit of security as a service, extraordinarily manageable. So when I advocate their inclusion I am not trying to create best practices in a vacuum that only Fortune 500 companies can deploy. Cloud security is an egalitarian and effective means to achieve better security based on business and organizational needs, not technology, budget or staff availability.


Kevin Nikkhoo

About Kevin Nikkhoo
With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

SOA World Latest Stories
When building large, cloud-based applications that operate at a high scale, it’s important to maintain a high availability and resilience to failures. In order to do that, you must be tolerant of failures, even in light of failures in other areas of your application. “Fly two mistakes ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand usin...
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and sy...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portabil...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is founda...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder an...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)!

Advertise on this site! Contact advertising(at)! 201 802-3021

SYS-CON Featured Whitepapers
Most Read This Week