Friday, April 18, 2014

DAM Testing and Compliance



Testing and compliance
Testing and compliance are two areas which often skipped during the implementation of a DAM system due to budget or time constraints. Other times, the only extend of it is to run through the most important features as part of customer training to see if they behave as expected. And even if testing and compliance are seen as part of an implementation plan, many solution providers forget that those are actually ongoing and never-ending efforts.
In reality, it is wise to invest in proper testing and assessing compliance before going live, so that issues can be found and fixed before a solution is opened to general use. In some cases, it can even lead to non-approval of a solution at the very last minute which can cost your customer and you a lot of money (and prestige). Ongoing testing and compliance efforts will also ensure that a DAM solution is ready for potential future threats, just as the recent Heartbleed bug has shown.

Testing

Generally, the goal of testing is to validate and verify that a DAM solution meets all requirements, works as expected and satisfies the needs of your customer. This can be achieved in areas such as:
  • System Integration Testing: Are all components of a DAM system properly talking to each other as well as with integrated, 3rd party components/solutions?
  • Security Scans: Are your protocols, passwords, encryption standards, ports and certificates safe enough and adhere to set standards?
  • Vulnerability Assessments: Scanning your system in order to create a prioritized list of discovered vulnerabilities and how to remediate them.
  • Penetration Tests: Simulate specific attacks in order to find out if intruders can gain access in a way they should not be able to.
  • Usability Testing: How do endusers evaluate the usability of your DAM solution and what can be improved?
  • User Acceptance Testing: Are all requirements of agreed upon specifications met?
  • Performance Testing: Does the solution fulfill certain benchmarks in terms of responsiveness and stability under a particular workload?


Compliance

Being compliant means being able to demonstrate to a client that a DAM solution satisfies all regulations, processes and policies imposed internally or by law. This typically includes areas such as:
  • Security Standards: How does your data and traffic has to be encrypted? What password length and complexity is required? Does your documentation need to stored “at rest”? How often will the security of your DAM system be audited?
  • Government Regulations: This includes regulations such as HIPAA, Section 508 Standards (Accessibility & Readability), Intellectual Property Laws, Privacy Laws and much more.
  • Approved Software/Vendors/Technologies: Many customers only allow certain vendors or software when you need to use 3rd party software as part of your DAM implementation. Others require or eventually may require open standards such as SQL.
  • Software Updates: Do OS patches need to be applied regularly? Does your DAM system need to be upgraded whenever a new release comes out?


Customer Example

To demonstrate how we implemented an ongoing testing and compliance scheme for one of our customers, please see the following diagram:



As you can see, we ensure that this particular DAM solution continues to work as expected through a multitude of tools, including:
  • HP WebInspect: An automated and configurable web application security and penetration testing tool that mimics real-world hacking techniques and attacks, enabling you to thoroughly analyze your complex web applications and services for security vulnerabilities.
  • Qualys SSL Scan: performs a deep analysis of the configuration of your SSL-secured web server and how these settings can be improved.
  • Solarwinds N-Central Monitoring Suite: monitors and reports on the up-time of all system components in order to minimize downtime and respond to issues quickly, often before your customer will even notice.
  • GFI LanGuard: A vulnerability scanner and patch management software which scans your network’s ports for vulnerabilities and offers remedies.
  • Windows Software Update Service (WSUS): Automatically ensures that all critical and non-critical OS patches are applied as they are released.
We can assist you in all areas related to testing and compliance in the DAM arena and beyond, so please get in touch with Nextware Professional Services at contact@nextwaretech.com today if you have any questions or need help.

Monday, March 17, 2014

Active Directory User Management with Softerra Adaxes



















In an ideal world, all end user access to Canto Cumulus is controlled via Active Directory. Even better are single sign-on (SSO) integrations as the one mentioned in one of my previous blog posts. But what if …

  1. All of your external endusers are not part of your internal Active Directory?
  2. Your Cumulus solution is hosted in the Cloud?
  3. Your IT team does not want to deal with managing your ever-changing list of external endusers, but also requires you to manage all access through AD?
This is the scenario we faced with one of our large corporate clients. In the end, we designed and built a solution for them that would solve all these problems. A key ingredient was Softerra Adaxes. This software sits like a layer “on top” of an Active Directory and enabled us to grant internal, non-IT Cumulus administrators limited and exactly defined access to an Active Directory to manage their external endusers themselves, without the need to involve any IT staff nor any in-depth knowledge of how Active Directory works.


 As you can see in the diagram, internal users are still managed by the IT team of our customer. Their connection to Sites and Web Client is handled by an SSO integration. However, internal Cumulus administrators can use Softerra Adaxes’ web-based “User Manager” to create and manage their external end users in a secondary Active Directory hosted in the cloud. This includes assigning users to Active Directory groups which are mapped to Cumulus application roles. This “User Manager” is completely customizable. This is how we designed the look for our customer’s Cumulus administrators:



Each of these so-called “home page actions” can be defined down to the finest detail: It is for example possible to allow admins to create users in very defined organizational units (OUs) and assign them to a very defined group (or: groups) within very defined OUs, so that they can only grant access or modify parts of the Active Directory they are allowed to. The configuration can be as close or as open as needed.
To a Cumulus administrator, the “Create new user” dialog could appear like this in their browser:


 
However, in the backend, we (as the solution providers) configured this web-based “User Manager” to be restricted as follows:
 
 
 
 
This can be done for any of the homepage actions and even the home page layout is completely customizable. This is really great news for all Cumulus customers who are required to manage their users via AD, but always complained about the extra effort and delay when they need to create a new user or needed to modify an existing one … like moving a user into a different group, aka: Cumulus role. With Adaxes, that responsibility can be given straight to the people also managing Cumulus.

If you are interested in a similar solution, please get in touch Nextware Professional Services at contact@nextwaretech.com today.



Wednesday, February 26, 2014

Single-Sign On (SSO) Integration for Canto Cumulus

One of our enterprise clients required single sign-on (SSO) for all internal users accessing Canto Cumulus hosted in an Amazon virtual private cloud (VPC), since they do not allow any incoming or outgoing LDAP traffic to and from the WAN. The goal was to provide immediate access once internal users are initially authenticated on their respective Windows workstations (“keys to the castle”). The problem we faced is that Canto does not provide an SSO connector yet … thus, such an integration had to be specifically developed.

We decided to use PingOne acting as the SAML service provider endpoint. The following diagram illustrates the complete integration that now allows our customers to simply click on a button or link in their intranet and immediately be connected to either Canto Cumulus Sites or Canto Cumulus Web Client without having to log in again.



This SSO integration is highly secure, as it validates the user details twice, once customer-side and a second time between Cumulus/AWS and PingOne. Furthermore, it still allows all other, regular Cumulus authentication options to be employed in parallel. That includes built-in users and AD-authenticated users, as the custom SSO Authenticator module is simply added as another Cumulus authentication module, but does not replace the existing Cumulus authentication modules. This gives customers a lot of flexibility to create mixed authentication scenarios. In fact, our particular customer uses all three authentication options:

1.      Internal users connect via SSO

2.      External agencies (not pictured in the diagram) connect via an AWS-hosted AD

3.      Certain technical Cumulus users (like RoboFlow) connect as built-in users

So how does this SSO integration work?
1.      A SAML token generated by our client’s federated service includes a re-direct URL.

2.      Upon authentication completion, the return token (incl. all user metadata needed to verify the SAML token) is re-directed to the respective Cumulus web interface.

3.      This data is transferred to the Cumulus Web Server as part of the login data.

4.      The Cumulus Web Server connects to the PingOne server to verify the token.

5.      Once verified, PingOne returns a SAML token with details (valid/not valid).

6.      The Cumulus Web Server does a “Connect to Cumulus App Server” and posts a XML/JSON structure that the Cumulus App Server parses to authorize the user.

7.      The Cumulus Server assigns user metadata and matches groups with roles based on the posted XML/JSON.

This only required very few integration parts which can easily be updated to any future release of Cumulus, including:
1.      A Cumulus Web Server “Token Handling Customization” that can be used to trigger a “Connect to Cumulus App Server” with PingOne’s SAML token handling.

2.      A Cumulus App Server “Authenticator Customization” that will understand the XML/JSON structure posted by the Cumulus Web Server. 

This integration is extremely flexible and can be adapted to fit additional requirements. If you are interested in this or other DAM customizations and/or integrations, please get in touch with Nextware Professional Services at contact@nextwaretech.com today.

Tuesday, February 11, 2014

Automated Agency Upload WorkFlow


Uploading large sets of data over HTTP/HTPPS to your web-based DAM system can pose a couple of challenges:

1.     Lack of support for large uploads.

2.     Folder structures are not maintained.

3.     They can be cumbersome and time-consuming, as files might have to be dragged into an upload dialog one by one.

4.     Certain file formats might not be supported.

5.     Interrupted uploads have to be restarted from the beginning and it might not be clear what files might have already been uploaded.

6.     Detailed upload reports might not be available for later analysis.

7.     Upload dialogs written in Flash or Java might not be supported in all browsers and/or on all platforms or devices.

One of our recent customers was faced with the following challenges:

·       Multiple external agencies spread all over the U.S. and Canada provide the content for our customer’s marketing operations (packaged InDesign projects and output PDFs).

·       Complex folder structures have to be maintained during uploads.

·       Uploaded projects can routinely be more than 2 GB in size.

·       Uploaded projects need to be auto-cataloged into the DAM system without agency users having the ability/permission to catalog.

·       Folder structures need to be mirrored into the taxonomy’s category tree.

·       Detailed reporting and notification on uploads is required.

·       Access to the system is restricted to HTTPS/443 and SFTP/22.

·       All access has to be controlled centrally through a dedicated Active Directory.

·       The solution has to be 100% cloud-based.

·       Agencies need to be able to provide project-specific, custom metadata through a web-based interface.

Based on these needs and built around Canto Cumulus, Nextware implemented a sophisticated and automated upload workflow solution using WS_FTP Corporate Server, one of the leading FTP Server solutions, as well as Canto’s “RoboFlow” add-on. Our customer can now ask their agencies’ users to simply upload their packaged projects and PDFs via an FTP client. In some cases, this may be all an agency user has to do. In addition and if required by our customer, agencies can also add custom metadata to their uploaded jobs.

 In detail, their workflow looks as follows:
 

1.     Designers create InDesign jobs, package and zip them and combine them with the corresponding output PDFs into complex project folder structures. Often, one project can consist of 20 to 30 packaged InDesign jobs and 50-100 PDFs.

2.     They then connect to the DAM system via FTP. Access is controlled via an Active Directory. These users are maintained by administrators on our customer’s team, so that agency users can be added, deactivated or even deleted at any time.

3.     Server-side, WS_FTP organizes the uploaded projects into subfolders for each user inside a DropBox folder. The projects’ subfolder structure is maintained at all times.

4.     Canto RoboFlow monitors this DropBox in a 1-minute interval. New projects are automatically moved into the Cumulus Vault (= central asset repository) server-side. At the same time, RoboFlow creates corresponding record entries in the respective catalog and reflects the folder and subfolder structure in the category tree. No user interaction whatsoever is required.

5.     From that point on, either uploading users at the external agency side or the marketing users on the customer side can log into Cumulus via Web Client and further categorize and tag the projects’ records. User access is controlled through the same Active Directory as the FTP access. In other words: agency users use one and the same user name and password for all system access.

6.     Furthermore, our customer’s marketing users can approve or reject projects, delete them, find existing projects based on custom metadata searches, download partial or complete projects or share them via URL.

 
 

This workflow is extremely flexible and can be adapted to fit many other requirements. If you are interested in this or other DAM or workflow solutions, please get in touch with Nextware Professional Services at contact@nextwaretech.com today.

Sunday, February 9, 2014

Hosting Canto Cumulus in the Cloud


Most Canto Cumulus solutions are still hosted in-house for apparent reasons: better performance, tighter control over cost, data and infrastructure and simply the fact that Cumulus - by design - is not a cloud solution. However, in 2013, a large corporate customer in the financial industry tasked Nextware with providing:

·       a hosted and easily scalable DAM solution,

·       based on Canto Cumulus,

·       divided into database, asset and web servers for better load-balancing and security,

·       with extremely stringent security, testing and backup requirements,

·       without any customer-side server IT support nor maintenance,

·       to end users within and outside the organization,

·       with zero customer-side footprint,

·       and world-wide web-based access.

These requirements meant a new road traveled, away from typical Canto Cumulus installations. The logical choice was using Amazon Web Services (AWS), in particular the following services:
 
·       Elastic Compute Cloud (EC2): resizable compute capacity in the cloud,

·       Elastic Block Storage (EBS): persistent block storage for use with EC2 instances,

·       Virtual Private Cloud (VPC):  isolated, virtual networking environment, including private and public subnets,

·       Simple Storage Service (S3): scalable, inexpensive backup storage,

·       and Route 53: cloud domain name service
 
Working with a project team based in Canada, the United States, India and Europe, Nextware fulfilled all these requirements. Six months later, after rigorous testing, our customer is now running a web-based DAM solution accessible only via secured ports 443 (HTTPS) and 22 (SFTP) with zero footprint on the customer side. Nextware maintains this solution 24/7 and provides technical support to all system users.

With this solution, the customer as well as external users – all controlled via Active Directory - can upload assets in batch via FTP. Server-side, Canto RoboFlow picks up new files, catalogs them and reflects the folder structure in their category tree. They can access their catalogs and records via Cumulus Sites and Web Client. Web Client is used to categorize and tag assets, whereas Sites is used to find and download assets.

If necessary, customer-side admins can still use the Cumulus rich client within a locked-down remote desktop session. Nextware Professional Services realized such access through Remote Desktop Web Access and Remote Desktop Gateway Server.

Below diagram illustrates our highly simplified system architecture. all proprietary details have been removed.

  


If you are planning to migrate your existing DAM solution to the cloud or if you are interested in setting up a new, cloud-based DAM solution, get in touch with Nextware Professional Services at contact@nextwaretech.com today.

Tuesday, April 5, 2011

How to Choose the Right Software

I've been involved in many software selection projects in various roles and on different sides of the process. I know selecting the right software could be a challenging and potentially complex process. So when you are planning on making a significant software purchase and before you start your software selection process think of the following challenges:
1- Software selection can be a time consuming process
Remember there is requirements gathering, making RFIs, doing research to select your candidates, detailed evaluation of products and technologies, and analysis of your evaluation results. Besides, someone has to manage and coordinate all these activities with multiple vendors and all the organizations that are involved in the selection process.
2- You need to verify the information provided to you in RFIs
Vendors are naturally biased about their products. A lot of times vendors may claim to meet all your requirements. But you need to go one step further and determine what capabilities are in fact supported. The approach to get to this information depends on many circumstances, but it is nevertheless possible to do so. This may save you a lot of grief when it comes to implementation time.
3- Identifying product weaknesses
Product demos may not be exposing important product weaknesses. How can I say this in a politically correct way? You sometimes need to look under the hood.
4- Trial version of the software may be unavailable to you
For the more complex software systems, vendors are reluctant to provide trial versions of their software to potential end users. A simple reason for this is that without the right system configuration and proper training users may not be able to access desired features, and this may lead users to incorrect conclusions about the suitability of the product. At the same time lack of direct access to the product makes the evaluation process more challenging and less accurate. For many reasons, vendors are less reluctant to share such evaluation copies with third party consultants, putting the consultants in a much better position to make the right choice.
5- Wrong selection may have serious consequences
I have seen companies lose millions of dollars and waste years of effort because of poor software purchasing decisions. A modest investment to bring in experts into the selection process could have prevented such losses.

Finally, Software selection does not have to cost you an arm and a leg. Yes, I have seen some of the high price tags on this type of service offered by larger IT consulting firms. But it doesn't have to be that way. A smaller firm experienced in this process can be just as effective in managing your selection process at a much lower cost.