FIM vs EmpowerID - Building Identity Bridges That Scale

Posted by Chris Hayes on Mon, Aug 03, 2015

Microsoft FIM/Identity Manager is one of those tools that many organizations start out with when dealing with identity synchronization projects.  Testing the waters many times it's setup to flow identities and attributes to and from an HR database or even another Active Directory Forest.  When dealing with a few identities it works well enough but start asking it to deal with 10's of thousands of identities and millions of attribute changes and you had better clear your calendar for the rest of the week.

bridge01

The problem many start to recognize is that the FIM sync engine is like a single lane bridge between identity stores.  Works great when you are servicing a very small town but when you are trying to service a busy city things will start backing up quickly.  The result of this architectural limitation of FIM can cause sync jobs can run days, even a week and in today's instant on/instant off world this can create serious issues.  When you disable an account in your directory store, expectations are that the change will be reflected in other directories pretty quickly, not in a week.

baybridge2.0831

 

EmpowerID was built from the ground up to be truly scalable, each lane can be another EmpowerID server checking in to help process sync jobs to other identity stores.  Our distributable and scalable multi-instance sync engine is capable of handling the largest and most demanding environments with billions of objects being handled on time, every time.

The EmpowerID Inventory and Sync engines manage data housed in the Metadirectory allowing you to determine attribute flow between connected systems following these flow rules which you can configure for each account store we connect to.

  • No Sync: When this option is selected, no information flows between EmpowerID and the native system.
  • Bidirectional Flow: When this option is selected, changes made within EmpowerID update the native system and vice-versa.
  • Account Store Changes Only: When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
  • EmpowerID Changes Only: When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.

EmpowerID has created the best sync engine in the world giving you fine grained control over all aspects identity, group, role and attribute synchronization.  Give us a call or click the link below for a quick demo of the EmpowerID difference.

Request a Demo

EmpowerID Inserts Intelligence into 2013 SharePoint People Picker

Posted by Chris Hayes on Wed, Jun 24, 2015

EID SP

The SharePoint 2013 People Picker is the tool you use to find and select users, groups and claims to grant someone a permission to a site in SharePoint.  The SharePoint 2013 People Picker is heavily dependent on how authentication is configured for your site so you need to ensure your SAML or claim provider is intelligent.

Don't let this happen to you

All claim providers created equally!

Today the most common issue SharePoint administrators find with an authentication claim provider is that any name you type in the People Picker, SharePoint will accept.  Even worse, with a typical claims provider you can type nonsense and you will see two results, neither of them valid!

Not Valid

Credit:Kirk Evans Microsoft Blog

This is not because the SharePoint People Picker needs to be fixed, it's working as designed, it is a result of the claim provider.

The EmpowerID SharePoint Manager solves this problem, we have created the most intelligent claim provider in the market today.  In doing so we set out to do 4 things which will have a huge impact on the day to day operations of your SharePoint site.


1. Create the most intelligent claim provider in the world.  We didn't stop at providing intelligent responses to the query, we also segregate the data so that delegated administrators can only view results for data that they can see.  This is a very important point, if a business partner administrator wants to grant someone rights to a site the EmpowerID data filtering and masking is still maintained.

Screen Shot 06 24 15 at 10.18 AM

2. Provide SharePoint "web parts".  This is technology that allows users to find new sites and request access to it.  It also allows site administrators to approve site access, all directly within SharePoint.Screen Shot 06 24 15 at 10.09 AM
3. Fully support federated or claims based authentication into SharePoint.  Users can authenticate with EmpowerID, bring their own social identity or use another.

Screen Shot 06 24 15 at 10.03 AM


4. Answer the "Why" question.  Why does someone have access and when was it granted?  The other side a SharePoint claim provider is tracking these finer details.  EmpowerID includes full certification and attestation for SharePoint access, this provides your enterprise with a host of risk controls not previously available.

Screen Shot 06 24 15 at 10.25 AM

Want to know more?

Watch a previously recorded webinar that discusses these points here

click the button to request more information.

Request a Demo
EID SPFull resized 600


Tags: Single Sign-on (SSO), authentication, Governance and Regulatory Compliance, Federation, User provisioning, Data Governance, Attestation, consumers, SAML, SharePoint, Access Governance, SSO

Data breaches continue to grow in Healthcare sector

Posted by Chris Hayes on Tue, May 26, 2015

Internal employees continue to pose biggest risk in security breaches.

Screen Shot 05 26 15 at 10.13 AM resized 600

Latest Experian security forecast - Cost of breaches in the healthcare industry could reach $5.6 billion annually.

How will the next identity spill happen?  The latest Experian data breach industry forecast points to your employees being the biggest threat.  Stronger external authentication and tighter protocols continue to miss the mark.  Employee negligence will continue to be the leading cause of security incidents in 2015.

Experian goes on to state that Healthcare breaches will continue to grow this year.  With the huge challenge of securing such a significant amount of data, the problem becomes even more serious when organizations are faced with a shortage of internal expertise.  With the majority of breaches originating from inside company walls, the report clearly indicates business leaders need to fight the root cause of data breaches rather than buy the latest security widgets.

What are some steps that you can take in your organization to prevent the next identity spill?

Preforming regular certification/attestation of access – At any time you need to be able to snapshot the access granted to a resource by roles, locations and person accounts.  Security assignments should be automated, but access should be certified and routed to an appropriate authorized person for review.  This review should verify the access and certify if it is valid or not.  A tool like EmpowerID makes certifications easy for the organization with scheduled certification and attestation policies that can be run and audited.

Implement automated provisioning/deprovisioning – Role based or attribute based access needs to be automatically and immediately provisioned or deprovisioned.  When an employee’s role changes, the resultant set of access needs to be calculated instantly.  Some application and resource access will be taken away and some will be granted.  Absence of role based deprovisioning is a root cause of an employee having too much access.  EmpowerID takes provisioning to the next level by allowing you to provision and deprovision based upon roles in the organization.

Implement RBAC & ABAC controls - You need an RBAC/ABAC engine to continuously evaluate how much access someone should or shouldn't have.  EmpowerID uses a hybrid approach with RBAC and ABAC adding in rules and even Separation of Duties enforcement.

Control access to applications via a central identity provider - Having users log into apps with a separate username and password is a recipe for disaster.  An IdP allows you to centrally validate someone’s identity and then assert that identity into applications wherever they are.  The EmpowerID IdP allows employees to search for applications that are granted for their role, removes ones that are not granted and provides the SSO into the application.

Provide Self-Service password reset - Let's face it, this not only tightens up security, but saves a lot of money.  EmpowerID provides full detailed audit trails of anything account related such as who changed the password, who approved it and more.

Implement strong authentication, regardless of the application - There are a lot of ways to get into your network.  The VPN, the email server and SaaS applications are all exposed entries into the protected network.  Do they all have the same authentication capabilities?  You need an authentication service that supports all the protocols, not just those most used.  EmpowerID can step up authentication at any level for any service.  The VPN, the routers, the SaaS apps, SharePoint, it doesn't matter.

The bottom line is this, an ounce of prevention is better than a pound of cure.  According to Experian the average cost per lost record is just under $200 dollars, with average total impact cost to your organization just under $4 million.  Click through below and let us show you how easy it is to automate access and control privilege in your environment.

Request a Demo

Tags: GRC, authentication, IAG, IAM, Identity and Access Management (IAM), Access Governance

AWS & Azure the new access management silos, says Patrick Parker @ EIC 2015

Posted by Chris Hayes on Wed, May 06, 2015

20150505 171359

“Organizations need to have the tools to manage these new access silos,” he told the opening session of the 2015 European Identity & Cloud (EIC) conference taking place in Munich.

During his Keynote discussion on day 1 Patrick identified the many limitations when managing new access silos in AWS and Azure.  

During day 2 Patrick discussed the role of IAM in hack prevention highlighting the recent Sony Pictures hack.

DSC 0016 resized 600

If you're around on the 7th you can catch his IAM best practices discussion from 12:00-13:00 PM or stop by for a discussion or deep dive demo to see what makes empowerID the best IAM Suite in the market today.  For those unable to attend in person empowerID will be sharing the presentations in the near future.

 

Request a Demo

Tags: Active Directory, IAM, Attestation, Identity and Access Management (IAM), Access Governance

Adaptive 2-Factor Authentication for Citrix Netscaler

Posted by Chris Hayes on Thu, Apr 30, 2015

2-Factor for Citrix via empowerID

What is Adaptive authentication? By definition something adaptive should have a capacity or tendency toward adaptation when faced with different scenarios. empowerID has taken this concept and applied it to our class leading Radius service for Citrix and other "edge devices" like Cisco, Juniper, Palo Alto, F5 and more.

Having managed many Citrix NetScaler strong authentication projects myself I understand the challenges faced when enabling 2-factor authentication with NetScaler products.

Common questions that you should ask yourself when undertaking a project like this are.
  • What methods does the authentication support?
  • Can I migrate users by groups in the back end rather than cut everyone over at the same time?
  • What kind of logging and reporting is available?
  • How scalable is the solution?
  • How are the configurations stored?
So we know some of the questions you need to be aware of, let's walk through an empowerID workflow for Citrix NetScaler below.

 

Adaptive Auth for Citrix

  1. Multiple users go to login to the NetScaler
  2. The NetScaler takes in a username and password
  3. This information is passed to empowerID's Radius endpoint
  4. empowerID looks at the group membership of the user
  5. One user will go through 2-factor authentication
  6. One user will go through Single Factor authentication
  7. Both users will be presented with the same information after authentication
This truly adaptive model means you can migrate some your users to 2-factor authentication while keeping some at single factor authentication.

So let's get back to a few key points:
  1. What methods does the authentication support?
  • Can I migrate users by groups in the back end rather than cut everyone over at the same time?
    • Fully supported, keep everyone going to the SAML login page and empowerID will determine if the user needs 2-factor or single factor authentication.
  • What kind of logging and reporting is available?
    • empowerID's audit and reporting engine leads the pack when it comes to real time reporting and auditing.  While other products can't push reports up to a central audit point empowerID doesn't have the same limitations.  Built from the ground up to scale you can log into one place and review all audit reports.
  • How scalable is the solution?
  • How are the configurations stored?
    • empowerID configurations are stored in a database, the way it should be done.  Not in flat web.config or .conf files, these aren't methods that scale.

    Ready to learn more?

     Request a Demo

    Tags: Active Directory, IAM, Identity Management, SAML, Citrix, Palo Alto, Identity and Access Management (IAM), Radius, 2-Factor, Cisco

    empowerID to Present at KuppingerCole European Identity & Cloud Conference

    Posted by Chris Hayes on Tue, Apr 28, 2015

     

    empowerID is excited to announce that CEO Patrick Parker will present at the European Identity & Cloud Conference (EIC) hosted by KuppingerCole on May 5-8 at the Dolce BallhausForum Unterschleissheim in Munich, Germany.


    Patrick's session entitled "How to Manage Authorizations in Cloud Services" takes place on Tuesday, May 5


    Topics covered will include:

    • The race to transplant onsite infrastructure and applications to the Cloud
    • How to enable strong yet flexible control over authorization
    • How to approache the challenge of role and attribute-based authorization
    • Patrick will give an overview of the authorization capabilities offered by the Microsoft Azure and Amazon AWS platforms and include best practice suggestions.
    empowerID was identified as an "Overall Leader" in the KuppingerCole Leadership Compass in 2014.  Click here for your copy of the latest KuppingerCole IAM/IAG Leadership Compass

    Tags: Role Based Access Control (RBAC), RBAC, SAML

    EmpowerID - Combining Intelligence with Web and SAML SSO

    Posted by Chris Hayes on Wed, Apr 01, 2015

    RBAC ABAC SSO resized 600

    Everyone's heard of Single Sign On or SSO.  By helping your end users get through their day, it allows them to first validate their enterprise identity and then seamlessly get into all of their enterprise applications.

    The ugly secret of the SSO landscape is the lack of any real access control.  If you need to provide access to an application like Salesforce you have to add them into an Active Directory group.  That is simply not something that scales and will instantly become an administrative burden.  Let's not even get into what happens when that person moves to a new department, are you really going and removing them from the groups they shouldn't have access to anymore?

    EmpowerID has created the world's first integrated Role Based Access Control (RBAC) and SSO mechanism that allows you to assign resources like salesforce.com to a business role not a group.  This gives you unprecedented flexibility to assign resources to things like SharePoint, Salesforce or whatever the application is.

    BusinessRole

    With EmpowerID you can assign resources to specific roles, like the example above where bank tellers in will be part of different active director groups but they can all be assigned the "Teller Business Role" and as such be allowed to access common resources for that role.  We've made it simple for you as an administrator too, manage these rules right through the EmpowerID WebAdmin console like you see below.

    Easily assign a resource to a role

    Reach out and we can walk you through how to add intelligence into your SSO engine today.

    Request a Demo

    Tags: WS-Fed, RBAC, Federation, Access Governance, SSO

    EmpowerID Named Overall Leader in IAM / IAG Suites

    Posted by Patrick Parker on Thu, Feb 05, 2015

    Rating graph

    EmpowerID has been recognized as a three time leader in a recent KuppingerCole report evaluating Identity and Access Management (IAM) / Identity Access Governance (IAG) Product Suites.

    The IAM/IAG Leadership Compass “focuses on complete IAM/IAG (Identity Access Management/Governance) suites that ideally cover all major areas of IAM/IAG as a fully integrated offering,” Martin Kuppinger wrote in the report.

    KuppingerCole, a respected global analyst focused on Information Security, examined Identity and Access Management / Governance Suites for this report. They specifically evaluated products that are integrated solutions with a broader scope than single-purpose products. Martin Kuppinger concluded in the report, “With their Windows-based product they [EmpowerID] offer one of the best integrated IAM Suites. All components have been built by EmpowerID, allowing for tight integration into a well thought-out architecture. This integrated approach is a clear strength of EmpowerID."

    To request an unabridged copy of the the KuppingerCole report on IAM/IAG Suites, please visit http://info.empowerid.com/download-the-free-kuppingercole-iam-suites-leadership-compass.

    Tags: Role Based Access Control (RBAC), GRC, authentication, IAG, IAM, Group Management, Governance and Regulatory Compliance, Identity Management, Federation, User provisioning, Attestation, Separation of Duties, Identity and Access Management (IAM), Access Governance

    Worlds First Virtual Directory Built on Node.js®

    Posted by Chris Hayes on Thu, Feb 05, 2015
    nodejs logo
    EmpowerID has cleaned the dust off of the Virtual Directory market with the world's first Virtual Directory Service written in Node.js and integrated it with our world class IAM Suite.

    Virtual Directory Services (VDS) are supposed to aggregate identity and user information stored across data stores into a single point of access.  The dirty little secret of the market is latency when the VDS is returning indentity information.  This compounds itself again and again when making LDAP calls.  Some have tried to move from a "Proxy" view and use a Cached view, but I/O is still slow.

    EmpowerID looked at the current VDS landscape, identified issues and built our VDS from the ground up on Node.js.  Compared to legacy VDS technology that spawns a new thread for each connection or request and takes up RAM, Node.js operates on a single-thread using a different type of I/O call.  This allows it to support tens of thousands of concurrent connections.
    toptal blog 1 BPicture from toptal.com Why use Node.js
    So, why use EmpowerID's VDS?
    • Highly Scalable, a VDS should be able to handle incoming LDAP connection requests and we do it better than anyone in the industry.
    • Data Transformation allows you to easily support legacy apps that require a fixed schema
    • Persistent Metadirectory Cache that automatically refreshes the source data
    • Ties in with full IAM Suite from EmpowerID.
    • Group-based authorization and provisioning for all of your authentication endpoints
    • Application authorization provides a virtual view of all existing groups
    • Easily onboard new organizations' directory stores into a unified view
    • Create a single unified user profile from your disparate user stores

    Ready to learn more?

    Request a Demo

    Tags: IAM, Federation, Virtual Directory, VDS

    Manage Your Office 365 Environment Without DirSync

    Posted by Chris Hayes on Mon, Jan 05, 2015

    Automate Provisioning Sync resized 600

    All too often the migration to the cloud involves supporting bits and pieces of software that you didn't expect. These road bumps can easily turn into a major headache for your organizations IT team. Migrations to Office 365 require a "user sync tool" out of the box called DirSync or AAD Sync. These extra pieces of software are difficult to manage, configure and maintain with many companies desperately looking for alternatives.

    The EmpowerID Office 365 Manager allows your organization to take control of all aspects during your migration to Office 365.  If you're just starting or have fully cut over to O365 you can now put DirSync out to pasture.

    EmpowerID Office 365 Manager allows for:

    Single Sign-On Enable - Allowing employees to continue to login to Outlook, OWA, Lync, and SharePoint using their same corporate Active Directory username and password with Microsoft ADFS.

    Administration and User Provisioning - Automate provisioning, delegation administration, and de-provisioning all without DirSync or AAD Sync.

    Access Governance - Audit and periodically re-certify access to Office 365 mailboxes and groups based upon your organizations specific attestation requirements.

    Audit Logging - Keep track of what's happening in your enviroment.  Even have reports emailed to you for review.

    Role-Based Delegated Admin - Allow seperate business units to manage their users or even seperate companies.

    Self Service Password Management - Stop the high number of password reset calls to your helpdesk.

    On top of total governance of Office 365 from an on-premise IAG solution you can also manage multiple tenants from a single Active Directory domain or multiple AD domains to a single tenant, something that is available with EmpowerID. Allowing your organization to manage complex Office 365 deployments means you can ensure new domains can be integrated should the need arise.

    Screen Shot 12 29 14 at 11.14 PM

    If you're ready to learn more you can watch this previously recorded Office 365 demo or shoot us an email and we'll walk you though your options.

    Request a Demo

    Tags: IAG, O365, DirSync, Office 365