Ensim’s Blog

It’s a great opportunity when a company get’s to tout its achievements. This blog post shares it’s enthusiasm for not just one of Ensim products but for both Ensim Unify Service Provider Edition and Ensim Unify Enterprise Edition.

Ensim Unify Service Provider Edition took home TMC’s 12th annual Internet Telephony Product of the year award.

“Internet Telephony is happy to recognize and honor Ensim for their development of IP communications technology. With Ensim Unify Service Provider Edition, Ensim has further proven its commitment to quality and excellence while addressing real needs in the marketplace,” said Rich Tehrani, CEO, TMC. “We look forward to more innovative solutions from them in the future.”

Ensim Unify Enterprise Edition has been recognized numerous times this month in industry articles, most recently by KMWorld, covering the latest in content, document and knowledge management. Ensim’s most recent release, SharePoint Manager …

“…ensures that when users are provisioned and managed, business and policy objectives are met on a secure, cost-effective basis.”

Thank you once again for all the great support!

mgallegos Uncategorized Ensim Unify, enterprise, Service Provider, SharePoint

There is nothing better then honest customer feedback in a news article. In eWeek this past week, Wayne Rash wrote an article called “For Change Management, First, You Need a Plan”. Find the full article here.

The article highlights, how a group of IT professionals approach change management from their individual perspectives. Rash also provided industry analysts viewpoints on this critical issue. We’d like to draw your attention to Network Engineer, Paul Smith at Metafore, who participated in the interview and is currently running Ensim Unify Enterprise Edition.

“It’s removed a lot of administrative overhead for my department,” Smith said, “and it’s saved a lot of time. We used to have a lot of manual steps for user management. We don’t have those steps anymore. From my own experience it has lowered [the number] of errors.”

We truly appreciate the feedback.

mgallegos Uncategorized Active Directory, Add new tag, change management, eWeek, Identity & Access Management, User Provisioning

We are pleased to be included in Eric Rux’s post reviewing 4 different AD management tools. You can find the article here.

The test parameters were pretty straightforward - running through five typical administration tasks that the build-in Microsoft tools (ADUC) either don’t do or don’t do very well. Those tasks were “user provisioning (e.g., AD, Exchange, BlackBerry, ERP), Exchange provisioning (e.g., data store based on last name/department), delegation of duties, user de-provisioning a user (e.g., scramble username, reset password, remove from external system), and reporting for audits.” These represent a good cross section of tasks that can become very time consuming in medium and larger organizations.

Eric notes that the four products have similar methods for helping you streamline the process of provisioning new users. If every new user needs to be a member of an ERP Application global group, for example. Another common example of user provisioning is integration with an HR database. AD is often populated with data from an HR database. This can work in one direction or in both directions depending on the requirements.

Of course we were thrilled with his Recomendation:

If you need provisioning outside of Active Directory that includes BlackBerry Enterprise Server, Exchange 2007 or 2003, Google Apps, and Microsoft Office Communication Server (OCS), look no further.

Scott Young Uncategorized

Apologies readers for the prolonged silence on this blog. Let me pick up the discussion from where I left in my last post.

We already talked about the need for request management and customized workflows. Next I want to talk about re-provisioning or maintenance of OCS configuration for user accounts.

On a typical day, IT help desk in a mid-to-large enterprise handles hundreds of support incidents related to user configuration updates. Depending on the business rules and regulations some of these updates can be continually complex and time consuming. These updates often fall into three broad categries:

1. Updating the use configuration settings for a user. A user may have been promoted or moved to a different project and hence the entitlements for the user have changed. Or, may be the user account was mis-configured to begin with and now needs to be synchronized with their entitlements and configured accordingly. In either of these scenarios an administrator has to manually fix the configuration settings for the user account.
2. Often system administrators do a phased roll out of various OCS features. They start with a initial set of features for a small group of people and then later expand the coverage to a bigger group with more and more features. Planning a phased rollout has always been a maintenance nightmare for administrators.
3. Additionally, system administrators are continually improving the business processes which eventually results in changes in entitlements for existing users or re-provisioning of user accounts with new configuration settings on different server pools.
   The provisioning system should be extensible enough to adapt to the enterprise’s specific needs not just from an initial on-boarding perspective but also as an ongoing update to enforce the rules and policies for all users.

Ensim Unify enables system administrators to automate several maintenance processes which can be configured to ensure that everybody’s entitlements are enforced in the account settings. For example – if the SIP URI for a user is configured to be same as their email address, the maintenance jobs will ensure that this rule is enforced at all times. Any inconsistencies or mis configurations in the deployment will be detected and corrected by the system without requiring any administrator intervention.

agupta Uncategorized

In my last post we discussed various considerations around request management and how administrators can use Ensim Unify to quickly integrate OCS user provisioning with their existing provisioning request management. Once administrators have overcome the integration with their request management systems, the next challenge they face is how to customize the provisioning workflow based on various business rules and policies.

Issue #2 : Customizable provisioning workflows
Most enterprises have various business rules and regulations which drive entitlements for all users. In regulated environments these rules can be very complex and strictly enforced. Typically these business rules define the various OCS options that will be enabled for each user and the OCS server pool on which the user account is provisioned. A global enterprise can have various considerations like - geographical location, SLA committed, department or project group in determining the server pool location while processing the provisioning request. Similarly, OCS entitlements could be a combination of some of these considerations.

The one-click template based provisioning from Ensim Unify allows system administrators to integrate Ensim Unify with their entitlement engine and at the same time hide the complexity from junior administrators . Additionally, Ensim Unify offers automated capacity management to implement OCS server pool location based on various internal rules.

Provisioning is not a one-time event. Re-provisioning and addressing daily moves, updates and changes continually takes up administrator’s time and attention. In my next post I will address some of the issues around change management and how Ensim Unify addresses those issues.

Amit Gupta
Director – Product Management
Ensim Corporation
Email: agupta@ensim.com

agupta Uncategorized OCS user provisioning, provisioning workflows

Over the past few months, we have helped several Fortune 100 customers get a handle on their OCS provisioning and ongoing management of user changes. Because the process was so interesting and insightful, I wanted to relay the key issues that we solved in some of these OCS deployments in the hope that many of you will be able to better prepare for these – you won’t be able to avoid them, but knowledge is half the battle. I’ll break each issue in an article of its own and try to provide as much details as possible.

Planning an OCS deployment and rollout for a mid to large enterprise (anything over 10,000 seats) is complicated at best, daunting at its worst. System administrators have to carefully evaluate the capacity requirements, network topology, telephony deployment scenarios and various other considerations before they can put together a project plan for OCS rollout. As administrators plow through various stages of this plan, they almost always neglect the provisioning or on-boarding process, which eventually becomes a gating item for their rollout.

While some administrators may be able to work around the provisioning challenges by working through the native Active Directory or OCS management interface, for most mid to large organizations it will be almost impossible to handle all the provisioning requests manually.

Issue #1: Integration with existing systems

Each enterprise has an existing mechanism for triggering the new-hire or on-boarding request and this request management mechanism should be updated to address OCS provisioning for new hires. System administrators, typically, would have a tailored request management system, however in most cases it is a variation of the following few scenarios:

• Often HR system is the first IT system that gets seeded with the new hire information and from there on a request is triggered to provision various IT services like mail, telephone, access card etc for the new employee. Some of these services might require some manual approvals and might be addressed offline. An administrator will have to augment this new hire process to further add OCS provisioning requests for new employees automatically based on their entitlements.

• Because of additional Microsoft CAL implications some enterprise may not want to roll out OCS for all employees and may want to implement a charge-back mechanism for business units or cost centers before OCS access is enabled for requested employees. Typically, in such cases an administrator has to update an existing (or build a new ) intranet website for managers to request OCS service for their direct reports or setup a self registration page for employees. These intranet pages should be further integrated with the charge back systems to make sure that the cost center or the business unit is billed accordingly.

• Additionally, an enterprise might have an ERP system or identity management framework implemented which will have to be updated to trigger OCS provisioning requests as new identities are created in the IT systems.

Ensim Unify OCS Manager has robust extensibility through web service APIs. These APIs implement most WS-* standards enabling inter-operability with any existing system and allowing system administrators to address any of the scenarios mentioned above. More technical details will follow in some of the subsequent articles.

While this is just the first aspect of OCS user provisioning, it is clear that system administrators should include user provisioning in their upfront planning to avoid any hiccups during the rollout.

Amit Gupta

Director – Product Management

Ensim Corporation

Email: agupta@ensim.com

agupta Uncategorized Identity & Access Management, OCS, OCS Deployment, Office Communicator 2007, User Provisioning

It’s now on my calendar, SysAdmins Day - its the last Friday of July and believe it or not - we just celebrated it. I found this in one of the blogs I often read. However, it was the comments that I enjoyed most; one said:

“I’m an IT guy, if you want to appreciate me, then for one day stay away from my desk, my phone number, and my email address. That will be appreciation enough.”

I laughed to myself, but I can see his point - just think about all the responsibilities a System Administrator has:

• staff training and support
• software installation, maintenance, and upgrading
• hardware installation, maintenance, and upgrading
• research and trouble shooting
• routing network administration and maintenance
• network documentation and network management in some cases
• database supervision
• etc. etc.

Depending on the size of your organization, the tasks, complexity and workload increase. So “hats off” to the IT professionals out there. There are companies out there trying to make your life easier. 

mgallegos Uncategorized Active Directory, Exchange

A recent posting in Federal Computer Week: 6 steps to cutting the cord to departing employees by Alan Jock, brought up several questions. Alan points out numerous concerns of faulty de-provisioning with departing employees and lists a number of steps that should be taken to deal with exiting employees. To paraphrase:

1. Managers enter exiting employees name and departure date into CICO system (Check In Check Out) and review list of assets the employee was assigned during employment.
2. The CICO system sends automated e-mail alerts to departments related to exiting employees.
3. Managers match employees assets list with actual assignments to find a more complete list of resources and access rights in the exiting employees possession.
4. The fourth step creates work orders for staff members to recover or deactivate each of the assets identified in the previous steps.
5. In the CICO process, managers update the check-out work orders to indicate status for retrieved or deactivated resources.
6. On the last day of employment HR reviews the checklist to flag and act on any missing elements in the CICO process.

This seems like a pretty straightforward set of steps in a fairly complex workflow that is part of a completely custom system. All this effort is designed to simply de-provision an employee. This brings up several questions: why is it so complicated and why does it need so many steps that require human intervention?  How would a system like this be audited? What are the security risks?

In a enterprise grade provisioning system, all the information regarding access, assets, and entitlements needed to de-provision a departing employee should already be there. All the policies should already be in-place and in-force. If all the information needed is already there, then any HR person should be able to press a button and de-provision the employee based on those established IT policies. (Immediately remove permissions and access, archive email and forward for a period of time, allow managerial access etc., etc.)

Workflow systems that generate work orders and send email to accomplish tasks are, by definition, less secure then a provisioning and access control system that completes these tasks without requiring human intervention. It would also seem less costly then maintaining a system such as this and might even help streamline existing processes. Food for thought.

mgallegos Uncategorized Active Directory

In a recent posting by Greg Masters of SC Magazine, HIPAA compliance was the focus of the discussion around compliance and risk mitigation. Even though enforcement actions have been minimal and HIPAA appears to really only provide general security guidelines specific to the health care; we see an increasing burden on IT to “prove” that it can protect sensitive patient data. We also see the major “risk” to health care organizations not from direct enforcement actions, but from lawsuits brought by patients who were damaged in some way when their medical records were compromised. Costs there could be quite high.

Mr. Masters brings up two very important points related to general security and risk mitigation that affect IT:

• the requirement that employees change passwords every 60 to 90 days
• increasing policy awareness among employees related to data sensitivity

Both points can substantially increase the burden on IT to ensure compliance with established policy. (This assumes that those policies are there in the first place.) Software designed to “ensure” that these policies are enforced can make a huge difference in the amount of overhead required. In addition, this makes self-service operations like password reset even more important.

These capabilities can make IT’s efforts to manage and mitigate risk much more effective as well as decrease the burden. It should come as no surprise that we recommend IT look for solutions that automate these activities wherever possible. Do you have any other suggestions?

mgallegos Uncategorized Active Directory, Compliance

Most people would be amazed at how often this happens. Many senior system administrators have probably already been through it - that accidental deletion of an organizational unit (OU) in Active Directory. It can be accidental fat finger where someone is in the process of deleting a single user and accidentally deletes the whole OU.

The people that have been through it are cringing right now remembering when it happened. The ones it has not happened to are in blissful denial. You can hear them saying: 0ur people are seasoned pro’s, no one makes those kind of mistakes, it can’t happen here, we have trained people, we have procedures to prevent that, that will never happen to us… However, the truth remains that at some time in your IT career, more than likely, you’ll have this unfortunate experience. Hopefully, just once.

As Jan De Clercq notes in his post “How can I protect Active Directory (AD) objects such as organizational units (OUs) from accidental deletion by administrators?” it’s pretty difficult to UNDO this mistake. It usually means some restructuring etc. It also seems to us that trying to protect objects on an individual level could get cumbersome, but that approach is better than hoping nothing goes wrong.

This is why we stress protecting AD on a programatic basis using your existing policies. This is the only way you will truly save your active directory from “unauthorized” changes. Additionally, it will open up a host of time saving and more secure options for operations like the provisioning / de-provisioning process - things like eliminating orphan accounts etc. More on that later…

Scott Young Uncategorized Active Directory