All-In-One Identity Management and Cloud Security

“Organizations need to have the tools to manage these new access silos,” he told the opening session of the 2015 European Identity & Cloud (EIC) conference taking place in Munich.

During his Keynote discussion on day 1 Patrick identified the many limitations when managing new access silos in AWS and Azure.  

During day 2 Patrick discussed the role of IAM in hack prevention highlighting the recent Sony Pictures hack.

If you're around on the 7th you can catch his IAM best practices discussion from 12:00-13:00 PM or stop by for a discussion or deep dive demo to see what makes empowerID the best IAM Suite in the market today.  For those unable to attend in person empowerID will be sharing the presentations in the near future.

 

What is Adaptive authentication? By definition something adaptive should have a capacity or tendency toward adaptation when faced with different scenarios. empowerID has taken this concept and applied it to our class leading Radius service for Citrix and other "edge devices" like Cisco, Juniper, Palo Alto, F5 and more.

Having managed many Citrix NetScaler strong authentication projects myself I understand the challenges faced when enabling 2-factor authentication with NetScaler products.

Common questions that you should ask yourself when undertaking a project like this are.

• What methods does the authentication support?
• Can I migrate users by groups in the back end rather than cut everyone over at the same time?
• What kind of logging and reporting is available?
• How scalable is the solution?
• How are the configurations stored?

So we know some of the questions you need to be aware of, let's walk through an empowerID workflow for Citrix NetScaler below.

 

1. Multiple users go to login to the NetScaler
2. The NetScaler takes in a username and password
3. This information is passed to empowerID's Radius endpoint
4. empowerID looks at the group membership of the user
5. One user will go through 2-factor authentication
6. One user will go through Single Factor authentication
7. Both users will be presented with the same information after authentication

This truly adaptive model means you can migrate some your users to 2-factor authentication while keeping some at single factor authentication.

So let's get back to a few key points:

1. What methods does the authentication support?

• empowerID supports Radius, LDAP, SAML, WS-Federation, WS-Trust, OAuth and more

Can I migrate users by groups in the back end rather than cut everyone over at the same time?

• Fully supported, keep everyone going to the SAML login page and empowerID will determine if the user needs 2-factor or single factor authentication.

What kind of logging and reporting is available?

• empowerID's audit and reporting engine leads the pack when it comes to real time reporting and auditing.  While other products can't push reports up to a central audit point empowerID doesn't have the same limitations.  Built from the ground up to scale you can log into one place and review all audit reports.

How scalable is the solution?

• 3-tier architecture model means you can easily scale to millions of users.

How are the configurations stored?

• empowerID configurations are stored in a database, the way it should be done.  Not in flat web.config or .conf files, these aren't methods that scale.

Ready to learn more?

 

 

Security for identities.  Managing user access to applications.  Auditing user access.

“Ugh”, you might think, “That sounds like more cost, more time, and more responsibility for IT”.

But a platform approach to Identity and Access Management (IAM) that is rich in innovation can result in lower costs, better productivity, and reduced demands for IT resources, while providing managers with better and more timely information.

Take for example a home healthcare provider with $2 billion in revenue and 40,000 employees in 40 states facing constant pressure to reduce costs as a result of declining government reimbursements for their services.  This organization had already used their considerable size advantage to create efficiencies and reduce costs wherever possible.  Then their Chief Security Officer (CSO) conducted a review of IAM technology and presented his management with a plan that would improve the productivity of their employees, reduce the workload on IT, improve the security for patient data and assist their organization in continuing to be a leader in the quality of patient services.

Built from a series of acquisitions in an industry that experiences high turnover, this organization lacked an efficient process for provisioning home healthcare workers into the many web applications they need to perform their work.  The process began with HR creating a manual request for IT to provision a new user into the apps they require, and once this was completed, the new user had to register themselves and create a password in each application. This process was complex and required too much effort for the home healthcare employees to learn and to maintain.

The CSO’s experience with several of the oldest and most installed IAM platforms made him wary of starting a new project with one of them because of their high licensing costs and the difficulty in customizing them to meet an enterprise’s specific needs.  He wanted a solution that would be easier to implement and easier to mantain.

After evaluating multiple products, he chose the EmpowerID platform for its different and innovative approach to Identity and Access Management.  Built on a single codebase with a workflow core and shipping with hundreds of ready to deploy workflows, the CSO was impressed with EmpowerID's broad functionality and its ability to easily design and to automate complex IAM processes with its visual Workflow Designer. 

The CSO determined during a software trial that EmpowerID’s powerful Role-Based Access Control (RBAC) engine could create effective roles based on both an employee’s place in the organizational hierarchy and their location, and it could scale easily for the size of their staff. EmpowerID proved itself to be flexible in also offering Attribute-Based Access Control (ABAC) for their scenarios where the use of contextual policies to govern access is more appropriate. 

He also discovered that EmpowerID’s integrated Single Sign-On (SSO) module federates not only with more recent web applications that natively support SAML authentication, but also with legacy applications that lack SAML capabilities.  Thus he could accommodate all of his user scenarios end to end, from provisioning to access, using EmpowerID, rather than having to integrate two or more applications. 

The CSO concluded that EmpowerID’s “all in one” approach could create the solution they needed in a shorter timeframe with fewer professional services and less risk to their project timeline and budget. The ability to show his management faster ROI helped him to obtain funding for the project. 

EmpowerID’s User, Group and SSO Manager modules were then deployed to provision and to manage federated identity for the application portal, allowing new users to be added within hours, instead of days, and enabling the use of one login by a healthcare provider to access all of their applications. 

New user onboarding was further simplified by creating a feed from the organization’s PeopleSoft HR application to EmpowerID, which in turn creates all the user accounts and access privileges in the applications they need, based on their business role. New users require less training and are ready to go to work as soon as they claim their identity upon first logging into the application portal.

The home healthcare staff appreciate EmpowerID's friendly HTML5 user interfaces that adapt to the screen size of any device they use, whether a tablet or a smartphone, and the reduction in effort to get to their clinical applications, while patients are pleased that less time is consumed by administrative tasks during their scheduled visits. 

EmpowerID’s multi-factor authentication capability (using an OATH token and SMS one time password) was implemented to strengthen system access security and to better protect the privacy of patient data, which is important in meeting regulatory and audit requirements.

EmpowerID also assists the organization’s auditors with data governance – the discipline of ensuring that access to corporate and patient data is secure and is subject to the proper controls. EmpowerID not only improves the quality of data, is also supports configurable Separation of Duties (SOD) policies, attestation procedures and system dashboards for quick visibility of pending tasks and system statistics. EmpowerID provides dozens of reports out of the box and it supports Microsoft’s SQL Reporting Services to quickly provide the information that different users need.

As a result of successfully automating their new user provisioning process and providing a seamless single-sign on experience for its home healthcare staff, this organization is realizing substantial productivity savings that will pay for EmpowerID in a period of just eighteen to twenty-four months. 

The CSO’s vision for a single, flexible platform that could be implemented on-time and within budget to automate and to securely manage multiple aspects of the enterprise, creating new efficiencies and cost-savings, has been fully realized with EmpowerID's deployment.

Ranked by KuppingerCole as a Product Leader, Innovation Leader and Overall Leader in their recent Leadership Compass for Identity Provisioning, EmpowerID helps diverse organizations across the globe improve identity security and access governance, increase productivity, lower costs, and improve service delivery through its innovative and cost-effective approach to IAM. 

 

Active Directory has to be accurate.  It is too important to security, productivity and your sanity to let its identity data be wrong.  Users need AD to log on to the network, applications need AD to resolve permissions, and everyone needs groups for email.

The problem is that all of that identity information that you need to synchronize with Active Directory is in different places.  The old days of writing a script to copy department code from your HRIS is gone; between network complexity and the cloud, you need a more powerful flexible identity synchronization solution.

EmpowerID employs a metadirectory to create a hub and spoke approach to identity and Active Directory synchronization.  The metadirectory becomes the full authoritative source for all identity information, using flexible attribute synchronization rules to move identity data from all sources to this central identity store.

From the metadirectory, you can then take all of the identity information for the user and synchronize it to Active Directory, then dynamically generating groups and roles for the user.  The attribute flow can be bi-directional, uni-directional, across forest and domain boundaries, to and from cloud applications.  The sky is the limit.

One of the big tricks is then managing data outside of ADUC.  EmpowerID not only has this powerful synchronization engine, but also provides AD self service with very flexible approval workflow capabilities.  The user can change their mobile phone number but will need manager approval to update their title, or IT approval to join the domain admin group.  Using EmpowerID's unique Rights Based Approval Routing (RBAR) technology, these approval workflows can be configured exceptionally easily and quickly.

Your network both on premise and cloud based has gotten big and complex but keeping AD accurate is simple with EmpowerID's combination of AD synchronization and AD self service.  Learn more about how to keep Active Directory accurate with a personalized demo or download this whitepaper.

How about a trick question?  What is your most authoritative source for identity information?  It's not that tricky....your HRIS.  But your actual users are an awfully close second.  They know themselves and if you give them a self service portal, they can make your life easier.

The real trick is what you allow them to update via self service.  Most shops allow some limited Active Directory self service.  But there is so much more that you can open up with a well designed self service identity management system...as long as you put controls, approvals and lifecycle into effect.

EmpowerID's HTML5 interface gives users a clean view into any application or identity store via a single interface from any device.  Attributes, group and role memberships, and permissions for any identity store / application can be managed via the metadirectory with updates either pushed directly to the application or synchronized on a scheduled basis.

Any field can be hidden, read-only, or editable based on the user's role(s).  Approval workflows are managed via EmpowerID's unique RBAR architecture (Rights Based Approval Routing), allowing you to easily manage who can and cannot make and approve changes.  Lifecycle can be applied to any object or membership, allowing you to have full identity lifecycle and temporary privileged access.

But the most important factor is what your users have access to self-serve.  Where most solutions stop at Active Directory, EmpowerID just starts there.  If a user needs to change their home phone number, that information needs to filter to AD for the GAL, HR for contact information, the emergency notification system, and to benefits databases.  Important information like this should not be left to scripts written by some contractor who won't work there in 3 months.

There are other glaring examples around group memberships which affect other systems.  Dynamic group memberships that are driven off of identity information.  Office locations that determine parking privileges.  Mobile phone numbers for second factor authentication and device registration.

Think of all of the things your users know about themselves that you cannot find out.  That is your list of attributes and systems that you allow self service for.  Think of everyplace that those attributes need to be synchronized.  That is your list of applications, databases and directories that you need to connect to.  Think of everyone who can actually approve those changes, that is your RBAR structure.

Allowing self service for identity management does not replace the connectors, synchronization and metadirectory.  It complements it and makes a more thorough identity management solution.

Active Directory is a bear to manage through ADUC.  It is clumsy and all-encompassing and the ability to manage granulary is exceptionally complex.  Delegating and instituting fine grained permissions requires deep and arcane knowledge of Active Directory.  In short, Active Directory management is difficult with ADUC and it doesn't have to be that way.

EmpowerID is a full IAM suite that has the ability to specifically manage Active Directory exactly the way you need, either through delegation or automation.  The actual changes are made in the EmpowerID metadirectory with a very well established and powerful connector to Active Directory.  So, you manage with EmpowerID's RBAC structure and then send those changes to AD.

One benefit of this structure is that you can manage multiple domains and forests from a single instance of EmpowerID.  Your helpdesk in Forest A can manage users in Forest B.  GAL synch is a breeze.

Another advantage is the full auditing controls of EmpowerID.  The ability to institute attestation and lifecycle on any AD object.  Full reporting and audit grids are available for business users and auditors.  Separation of duties can be applied from groups, OUs, roles and managed even cross forest if necessary.

Self service Active Directory management can be rolled out based on the user's roles, giving everybody the exact access to change identity attributes or group memberships that their roles allow.  Approval workflows are easy to configure using EmpowerID's proprietary Rights Based Approval Routing (RBAR).

Dynamic memberships in roles and groups are managed easily and efficiently in EmpowerID.  Group membership is always up to date with the ability to read identity attributes not only from Active Directory but any other identity store.

Everything can have a lifecycle, giving a 360 degree view of attestation and the ability to certify and approve lifecycle attestation from within emails.  Delegation and auditing of attestation should be a given.

Break glass permission workflows are available for temporary privileged access.  So, if an admin needs emergency access to a server, they can run the workflow, be granted temporary access, and have that access completely auditable and reported to the CISO.

If changes are made natively in ADUC, you can have a workflow to roll them back, report on those native changes, or send them for further approval.  Most importantly, with EmpowerID, you can completely shut off native ADUC access.  Many of our customers do this, having all changes made from within EmpowerID.

Active Directory management can be a lot better than ADUC will ever allow.  Read our whitepaper on replacing ADUC and improve your AD management with fewer resources.

There is a saying in Identity Management: "What you can't automate, delegate."  It may be something that only I say, but it should be said more often.  Because following that credo improves security, productivity and the bottom line.

The project list of things to automate is a mile long, starting with user provisioning and permissions, group and role memberships, identity synchronization, and so on.  For delegation, the list is equally as long -- password reset, group membership, single sign-on, cloud accounts, and the lowest hanging fruit: Active Directory self-service.

Active Directory is a tricky beast, there are parts of it you need to completely cordon off.  You can't let anyone mess with the OU structure or change their own title or delete user accounts.  But you do want them to update their own mobile phone number, change the title of the user reporting to them, join a distribution group, or update their password.  Within ADUC, it's all or nothing, there isn't a way to manage it granularly like this.

The key to any AD self service solution is to have controls in place; an RBAC policy that defines who can do what without undue amounts of configuration.  You need to be able to define who can do what action (change a password, update phone numbers, create a group), who needs to approve it, and what is even shown to each user.  Having a dynamically maintained role structure and Rights-based approval routing (RBAR) allows you to have this level of granularity.

EmpowerID's HTML5 user interface means that updates can be made from any device, its unique combination of RBAC and ABAC allows for very fine grained permissions, and RBAR means that you don't have to define every single permission for approvals, it is all handled within the system.

With all of this delegation power available from the self service interface, native access can be shut down to ADUC.  You can have admin roles, help desk roles, manager roles, user roles, and all of it managed dynamically.  No more accidental deletion of an OU because you had to give an intern access to ADUC to change a user's telephone number (true story).

What separates a full IAM solution from a point solution is what it does with this Active Directory information.  An IAM solution can take these changes to AD and flow them to other identity stores and applications.  For example, the phone number change can update the emergency contact list, a title change can update HRIS once an approval workflow is satisfied, a change in a security group can update a user's role in a cloud application.

I'm not sure if you noticed in this post, but this is all delegated or automated.  IT just configures it using EmpowerID's visual workflow studio and users and computers do the rest.  Delegate out this lowest hanging of all fruit, AD self service, and improve security, productivity and the bottom line!

Microsoft makes Office 365 pretty easy when you are already managing Active Directory with its DirSync utility.  However, this doesn't always work if your users are not in AD or if you have multiple forests.  So, how do you manage provisioning, group management and SSO to Office 365 without AD?

EmpowerID.

Let's take the first use case, users that are not in AD but that need an O365 account.  This happens often in franchises, education, manufacturing or when offering accounts to non-employees.  EmpowerID's metadirectory stores a "person" object that is completely independent of AD, this user account can then be provisioned to O365 and updated through EmpowerID's HTML5 user interface.

Users have the ability to manage group membership, passwords (including self service password reset) and single sign-on to O365 with the EmpowerID credentials.  All of these changes are made in the metadirectory which is synchronized directly to Office 365 without AD in between as well as direct Identity Administration where the workflows make live changes directly to Office 365 like we do to AD. Not all has to go through sync like FIM.

You can automate all of the provisioning/deprovisioning to the metadirectory based on a connector to any other system (student database for example).  The EmpowerID Office 365 connector does all of the heavy lifting that DirSync does but adds the complete workflow and RBAC capability of EmpowerID.  Without AD in the mix.

The other use case is one that a few customers have brought to us: Office 365 does not work with multiple AD forests unless you want to deal with FIM and the army of consultants / developers necessary to manage that.  Again, the EmpowerID metadirectory solves this, easily connecting and synchronizing each AD forest into the metadirectory, creating a person object that joins user accounts in each forest.

The EmpowerID Office 365 connector then does all of the heavy lifting, provisioning accounts, offering password management, single sign-on and group management.  Any changes you make can flow out to each AD forest as well.

The customers that have come to us for this scenario always point out the obvious, if they used FIM they are not future proofed, not only do they pay more for the initial deployment, but if there is another acquisition and another forest added, they have to start the whole process again with FIM.  With EmpowerID, it is a matter of connecting another AD forest with the connector already in place.  Easy peasy.

Office 365 is a great product (we use it internally) but there are limitations to deploying it with DirSync and some very specific use cases where it doesn't work.  EmpowerID fixes those use cases while giving a huge number of other IAM platform advantages.  Take the time for a demo of how we can manage O365 without AD and see how much more you can do with a robust single codebase IAM platform.