| Subcribe via RSS

Rules of a Creator’s Life

October 24th, 2012 | No Comments | Posted in General

Found this in my inbox this AM:

I gotta work on #5 a bit more. :-)


SailPoint IIQ Security Best Practices

October 15th, 2012 | No Comments | Posted in IAM Development, IAM Engagement, IdM Engagement

Over the last several weeks I’ve been building out an entire Sailpoint IIQ development infrastructure on ESXi — every major version of Sailpoint IIQ since v5.2 on CentOS 6 (essentially RHEL 6), available over a number of major app server platforms for customer and development testing (eg. Tomcat, JBoss, perhaps WebLogic, etc.), including Windows Server 2K8 Active Directory, LDAP and other outlying systems. Today, as I considered the small data center I’ve been building out, I had “on-site flashbacks,” and I thought it would be a good time to talk about Sailpoint IIQ security best practices.

Easy To Forget!

We all get busy and it’s easy to forget — we’re supposed to be security professionals. A lot of you out there have a couple of forensics cases waiting in the wings, there’s that big virus scare Bob in Accounting let loose on the network on “Bring Your Son To Work Day” (yep, he plugged his son’s laptop into the network, didn’t he?! :-(), there’s the perimeter pen testing you and Jane are supposed to be doing on the 15 new apps destined this week for external rollout, there’s the latest audit report due (again!), and… oh yeah, there are these SailPoint consultants on-site the next two weeks helping you __________ your (new) IdM infrastructure, starting in dev (fill in the blank with “rollout”, “upgrade”, “assess”, “shakeout”, “test”, “customize”, or “all of the above” as it suits.)

As you may have noticed with barely concealed glee, Sailpoint IIQ is your new magnifying glass for IAG in the enterprise; it’s really good about going after the details at a minimum (based on RO connections to all your outlying systems), to say nothing of what you may be doing for certifications, reporting, provisioning and workflows — full LCM (if you’re on your way to IAG nirvana!) You’re going to nail non-compliance with this tool.

But what about the tool itself!? Have you stopped to consider the following best practices around secure Sailpoint IIQ deployment? It doesn’t do anything to fully amorize the front of the barn if other individuals in your enterprise can sneak in the back door!

What is your “threat footprint” for Sailpoint IIQ as “an enterprise application” itself?! (That’s the funny thing about Sailpoint IIQ — it audits apps, but it’s an app itself, when you think about it.) I’m not going to say a WORD about what I’ve seen anyone do. :-) Just make sure you are doing the following at some point when you’ve got Bob in Accounting up to sped on network policy and at least one of those audit reports done before your CISO has that meeting with HIS boss, the CEO. :-)
More »

Tags: , , , , , ,

Properly Leveraging Endorsements on LinkedIn

October 5th, 2012 | No Comments | Posted in Career Management, General

As you may have noticed, LinkedIn has introduced a new feature called “Endorsements.” This allows any one of your connections to endorse the skills in the Skills section of your LinkedIn profile through a one-click endorsement wizard. Needless to say, this makes having the skills section of your profile filled out and relevant all the more important. Here are some quick tips on skills and endorsements that I hope will help you gain the most from this new feature:

1. Use ‘Em All!

There is room in your profile for up to 50 skills. If you can, you should use them all. Don’t forget there are a number of “soft skills” you can add to your skills section that can be just as valuable as a technical skill. If you are good at “Contract Negotiations” or “Vendor Management” and you don’t have all 50 skills used at present, by all means… add ’em.

2. Make ‘Em Relevant

So maybe you’re really good at Classic ASP for instance. You view Classic ASP with a sense of nostalgia and so you include it in your skills section. Don’t. :-) Classic ASP is dead. Instead, use that slot in the 50 you have allotted for some thing else. Even if you have to fill that slot with a soft skill such as “Client Engagement” or something similar. “Client Engagement” skills are much more valuable than “Classic ASP” skills, even if you really are good at Classic ASP. You only have 50 slots so make every one of them count.

3. Make Sure They “Match”

If you haven’t already noticed, behind the scenes LinkedIn maintains a database of skill keywords. You can see these as you update your skills. Skills that are suggested are officially maintained skill keywords. While you can “create” skills by typing in and saving a skill title that isn’t in one of the suggestions, it won’t do you much good. Recruiters and potential employers using LinkedIn search based on the pre-defined skill keywords LinkedIn maintains. If your skill doesn’t match a suggested skill, you probably won’t be found. If you are a freelancer, this can be absolutely critical.

4. Make Sure They Are Up-To-Date

From what I can tell, new skills are periodically being added to LinkedIn‘s skills database. Early adopters of the skills section in their profiles likely did make up some skills that weren’t originally suggested from LinkedIn‘s skill database. I know I did. Periodically, it makes sense to go back through every skill and make sure it’s a suggested skill (eg. agrees with LinkedIn‘s internal skills database).

5. Make Sure You Can Defend It

The days where you “did a few sample exercises” in .Net and now claim it as a skill are probably over. It’s likely better to only maintain technical skills that you can defend in a technical interview. Again, far better to list a soft skill such as “SLDC” or “Project Management” than to list “.Net” and have someone endorse you for .Net and you know in a technical interview, you wouldn’t be able to pass muster. Which leads me to…

6. Don’t Do Anyone Any Favors… :-)

When endorsing someone, make absolutely certain you are endorsing him or her because you have firsthand knowledge and experience of his or her prowess in that skill. Don’t do any of your connections any “favors.” Ultimately you could be doing your friend a disservice to endorse him or her for something they really aren’t that good at doing. So when you are going through the skills wizard, it’s probably not a good idea to think “Oh Sally… I didn’t know she was skilled in ___________” and then endorse Sally in __________. Only endorse an individual for skills you can verifiably testify that person has. Provide references and not “favors.”

Hope this helps you shore up and gain the most from the new Endorsements feature of LinkedIn Now, to schedule some time to follow my own advice. :-)

Tags: , , , ,