The Most Important Question in Enterprise Authentication, Could You Answer it?

Posted by Chris Hayes on Wed, Aug 26, 2015

Screen_Shot_2015-08-26_at_7.06.44_AM

Application Access:  It's easy to provision using the standards and tools today.  Cookies, Headers, SAML, Kerberos, WS-Federation and OpenID, the tools are there and easier than ever to configure.  Salesforce.com, Office 365, SharePoint, Box and more your users are getting into these applications without logging in multiple times (we hope, if not check out EmpowerID SSO).  For many organizations this is how the story goes.

  • User A needs access to Application B
  • User logs into a webserver with a credential
  • Webserver validates that credential
  • Webserver redirects User A to Application B
  • User A is in Application B
  • End of story
Yea, basic SSO portal right there

Yes, this is the basics of authentication, an SSO portal

But intelligent organizations should ask themselves questions like:

  • How long should User A have access to that application?
  • Who should authorize that User A should even have access to Application B?
  • How often should we review that User A should still have access to Application B?

Why are these important questions?  In IT we just know that access should be given or taken away.  We typically don't get involved in trying to answer a question like why should someone have access.  It's for this reason that many environments have layers and layers of access that's been granted, like a sediment layer, access has been given and never removed.  Nobody has ever bothered to ask the question why does this user have access to this application.

Enter the most important question in authentication today.  Why does a user have access to an application?  If we can answer that question than the other related questions fall into place, who gave them access and how long should that access last.  Before you start breaking out excel spreadsheets and walking the floors asking this question, let us propose a different route called automated attestation and certification.

EmpowerID ships with attestation, audit capabilities that slice and dice these tasks and automatically send them out to managers.  EmpowerID allows audit officers to choose what they want to certify allowing them to choose things like:

  • Groups
  • Applications
  • SharePoint sites
  • Files shares
  • And more

Once an auditor sets a date for the audit to be complete EmpowerID will automatically generate tasks for managers who can comment and certify as they see fit.

Screen_Shot_2015-08-26_at_7.27.53_AM

Audit owners can go in and review progress on the certification at any time to ensure you are on track.  

Screen_Shot_2015-08-26_at_7.35.29_AM

EmpowerID Attestation and Certification audits are all kept historically too so no matter when that question comes up you can always go back and see who certified the access and for what reason the access was granted.  Best of all, when that manager certifies that access EmpowerID allows the manager to specify how long that access should be valid for.  So short-term employee and vendor access just got that much easier to manage!

If you would like to discuss Attestation and Certification in more detail please click the link below and we will reach out.

Request a Demo