KuppingerCole Names EmpowerID as a Leader in Identity as a Service (IDaaS)

Posted by Bradford Mandell on Thu, Aug 17, 2017

9e58b0526a1a7b1ef541768df7d7.pngKuppingerCole, a respected global analyst focused on Information Security, examined 24 vendors in the Identity as a Service, Business to Enterprise market (IDaaS B2E) market.  EmpowerID was named as a Product Leader, a category which ranks vendors by functional strength and completeness of solution.  KuppingerCole stated in the report that EmpowerID "delivers a very broad feature set for Identity and Access Management, going well beyond Identity Provisioning but with tight integration to these core features."

KuppingerCole further recognized EmpowerID as an Innovation Leader, a measure of the platform's support for "leading-edge new features which deliver emerging customer requirements," and finally as an Overall Leader which measures leadership across all the factors they evaluate.

KuppingerCole noted that EmpowerID "takes a unique approach to IAM/IAG. It is built from scratch on a Business Process Management/Workflow platform" and the ability to modify and create visually designed workflows, "allows for great flexibility, while the product also delivers a broad set of out-of-the-box features."

Among top product leaders, EmpowerID differentiates itself by its innovative "everything is a workflow" approach to Identity and Access Management. Of EmpowerID, KuppingerCole stated "EmpowerID is a very interesting and innovative solution. It provides a well thought-out and flexible approach for Cloud IAM/IAG with strong Identity Federation and authentication support."

KuppingerCole also assigned EmpowerID the strongest ratings possible for the security, interoperability and usability subcategories of the Leadership Compass report.

The strength of EmpowerID's industry leading Identity and Access Management, Governance and Privileged Access Management feature set is derived from its all-in-one approach. It uses a single codebase, a common management console, and modern HTML5 adaptive user interfaces to combine high scalability and performance into a superior user experience. EmpowerID offers an Identity Warehouse to manage employee, partner, and consumer identities which are automated and secured by an Adaptive Authentication Engine, a powerful RBAC/ABAC engine, and over 750 out of the box workflows.

The breadth of EmpowerID's platform allows enterprises around the globe to extend their boundaries and to manage internal and client identities in on-premise, Cloud and hybrid environments.



To learn more about EmpowerID's strong, unique offering for business to employee IDaaS needs, read the full report: http://info.empowerid.com/download-the-free-kuppingercole-idaas-b2e-report-www

Tags: IAM, Federation, Identity and Access Management (IAM), IDaaS

Turkey citizenship database leak highlights need for full database encryption

Posted by Chris Hayes on Tue, Apr 05, 2016

Screen_Shot_04-04-16_at_09.08_AM.png

Citizens of Turkey woke up Monday with the knowledge that a Citizenship Database has been publicly dumped for anyone in the world to download and view.

The dumped database included:

  • National Identifier (TC Kimlik No)Screen_Shot_04-04-16_at_09.06_AM.png
  • First Name
  • Last Name
  • Mother's First Name
  • Father's First Name
  • Gender
  • City of Birth
  • Date of Birth
  • ID Registration City and District
  • Full Address

 

 

This database leak underlines why it is important to encrypt data at rest.  Most IAM projects implement 443 for access to the product, secure DMZ firewalls and Role Based Access Controls but neglect to implement encryption for the identity warehouse.  EmpowerID fully supports encryption of information in our identity warehouse and has been able to validate our latest release 2016 using these same encryption methods.

Notes from the database leaker

EmpowerID utilizes transparent data encryption (TDE) which provides full database-level encryption. TDE is the optimal choice for bulk encryption to meet regulatory compliance or corporate data security standards. TDE works at the file level, which is similar to two Windows® features: the Encrypting File System (EFS) and BitLocker™ Drive Encryption, the new volume-level encryption introduced in Windows Vista®, both of which also encrypt data on the hard drive.  This means that the identity and attribute information stored within EmpowerID will stay secure even if someone gets access to a backup of the database or gets access to the flat files from a server.

To learn more about how EmpowerID can utilize a fully encrypted database just click below.

Request a Demo

 

Tags: Data Governance, Identity and Access Management (IAM), Access Governance

Data breaches continue to grow in Healthcare sector

Posted by Chris Hayes on Tue, May 26, 2015

Internal employees continue to pose biggest risk in security breaches.

Screen Shot 05 26 15 at 10.13 AM resized 600

Latest Experian security forecast - Cost of breaches in the healthcare industry could reach $5.6 billion annually.

How will the next identity spill happen?  The latest Experian data breach industry forecast points to your employees being the biggest threat.  Stronger external authentication and tighter protocols continue to miss the mark.  Employee negligence will continue to be the leading cause of security incidents in 2015.

Experian goes on to state that Healthcare breaches will continue to grow this year.  With the huge challenge of securing such a significant amount of data, the problem becomes even more serious when organizations are faced with a shortage of internal expertise.  With the majority of breaches originating from inside company walls, the report clearly indicates business leaders need to fight the root cause of data breaches rather than buy the latest security widgets.

What are some steps that you can take in your organization to prevent the next identity spill?

Preforming regular certification/attestation of access – At any time you need to be able to snapshot the access granted to a resource by roles, locations and person accounts.  Security assignments should be automated, but access should be certified and routed to an appropriate authorized person for review.  This review should verify the access and certify if it is valid or not.  A tool like EmpowerID makes certifications easy for the organization with scheduled certification and attestation policies that can be run and audited.

Implement automated provisioning/deprovisioning – Role based or attribute based access needs to be automatically and immediately provisioned or deprovisioned.  When an employee’s role changes, the resultant set of access needs to be calculated instantly.  Some application and resource access will be taken away and some will be granted.  Absence of role based deprovisioning is a root cause of an employee having too much access.  EmpowerID takes provisioning to the next level by allowing you to provision and deprovision based upon roles in the organization.

Implement RBAC & ABAC controls - You need an RBAC/ABAC engine to continuously evaluate how much access someone should or shouldn't have.  EmpowerID uses a hybrid approach with RBAC and ABAC adding in rules and even Separation of Duties enforcement.

Control access to applications via a central identity provider - Having users log into apps with a separate username and password is a recipe for disaster.  An IdP allows you to centrally validate someone’s identity and then assert that identity into applications wherever they are.  The EmpowerID IdP allows employees to search for applications that are granted for their role, removes ones that are not granted and provides the SSO into the application.

Provide Self-Service password reset - Let's face it, this not only tightens up security, but saves a lot of money.  EmpowerID provides full detailed audit trails of anything account related such as who changed the password, who approved it and more.

Implement strong authentication, regardless of the application - There are a lot of ways to get into your network.  The VPN, the email server and SaaS applications are all exposed entries into the protected network.  Do they all have the same authentication capabilities?  You need an authentication service that supports all the protocols, not just those most used.  EmpowerID can step up authentication at any level for any service.  The VPN, the routers, the SaaS apps, SharePoint, it doesn't matter.

The bottom line is this, an ounce of prevention is better than a pound of cure.  According to Experian the average cost per lost record is just under $200 dollars, with average total impact cost to your organization just under $4 million.  Click through below and let us show you how easy it is to automate access and control privilege in your environment.

Request a Demo

Tags: GRC, authentication, IAG, IAM, Identity and Access Management (IAM), Access Governance

AWS & Azure the new access management silos, says Patrick Parker @ EIC 2015

Posted by Chris Hayes on Wed, May 06, 2015

20150505 171359

“Organizations need to have the tools to manage these new access silos,” he told the opening session of the 2015 European Identity & Cloud (EIC) conference taking place in Munich.

During his Keynote discussion on day 1 Patrick identified the many limitations when managing new access silos in AWS and Azure.  

During day 2 Patrick discussed the role of IAM in hack prevention highlighting the recent Sony Pictures hack.

DSC 0016 resized 600

If you're around on the 7th you can catch his IAM best practices discussion from 12:00-13:00 PM or stop by for a discussion or deep dive demo to see what makes empowerID the best IAM Suite in the market today.  For those unable to attend in person empowerID will be sharing the presentations in the near future.

 

Request a Demo

Tags: Active Directory, IAM, Attestation, Identity and Access Management (IAM), Access Governance

Adaptive 2-Factor Authentication for Citrix Netscaler

Posted by Chris Hayes on Thu, Apr 30, 2015

2-Factor for Citrix via empowerID

What is Adaptive authentication? By definition something adaptive should have a capacity or tendency toward adaptation when faced with different scenarios. empowerID has taken this concept and applied it to our class leading Radius service for Citrix and other "edge devices" like Cisco, Juniper, Palo Alto, F5 and more.

Having managed many Citrix NetScaler strong authentication projects myself I understand the challenges faced when enabling 2-factor authentication with NetScaler products.

Common questions that you should ask yourself when undertaking a project like this are.
  • What methods does the authentication support?
  • Can I migrate users by groups in the back end rather than cut everyone over at the same time?
  • What kind of logging and reporting is available?
  • How scalable is the solution?
  • How are the configurations stored?
So we know some of the questions you need to be aware of, let's walk through an empowerID workflow for Citrix NetScaler below.

 

Adaptive Auth for Citrix

  1. Multiple users go to login to the NetScaler
  2. The NetScaler takes in a username and password
  3. This information is passed to empowerID's Radius endpoint
  4. empowerID looks at the group membership of the user
  5. One user will go through 2-factor authentication
  6. One user will go through Single Factor authentication
  7. Both users will be presented with the same information after authentication
This truly adaptive model means you can migrate some your users to 2-factor authentication while keeping some at single factor authentication.

So let's get back to a few key points:
  1. What methods does the authentication support?
  • Can I migrate users by groups in the back end rather than cut everyone over at the same time?
    • Fully supported, keep everyone going to the SAML login page and empowerID will determine if the user needs 2-factor or single factor authentication.
  • What kind of logging and reporting is available?
    • empowerID's audit and reporting engine leads the pack when it comes to real time reporting and auditing.  While other products can't push reports up to a central audit point empowerID doesn't have the same limitations.  Built from the ground up to scale you can log into one place and review all audit reports.
  • How scalable is the solution?
  • How are the configurations stored?
    • empowerID configurations are stored in a database, the way it should be done.  Not in flat web.config or .conf files, these aren't methods that scale.

    Ready to learn more?

     Request a Demo

    Tags: Active Directory, IAM, Identity Management, SAML, Citrix, Palo Alto, Identity and Access Management (IAM), Radius, 2-Factor, Cisco

    EmpowerID Named Overall Leader in IAM / IAG Suites

    Posted by Patrick Parker on Thu, Feb 05, 2015

    Rating graph

    EmpowerID has been recognized as a three time leader in a recent KuppingerCole report evaluating Identity and Access Management (IAM) / Identity Access Governance (IAG) Product Suites.

    The IAM/IAG Leadership Compass “focuses on complete IAM/IAG (Identity Access Management/Governance) suites that ideally cover all major areas of IAM/IAG as a fully integrated offering,” Martin Kuppinger wrote in the report.

    KuppingerCole, a respected global analyst focused on Information Security, examined Identity and Access Management / Governance Suites for this report. They specifically evaluated products that are integrated solutions with a broader scope than single-purpose products. Martin Kuppinger concluded in the report, “With their Windows-based product they [EmpowerID] offer one of the best integrated IAM Suites. All components have been built by EmpowerID, allowing for tight integration into a well thought-out architecture. This integrated approach is a clear strength of EmpowerID."

    To request an unabridged copy of the the KuppingerCole report on IAM/IAG Suites, please visit http://info.empowerid.com/download-the-free-kuppingercole-iam-suites-leadership-compass.

    Tags: Role Based Access Control (RBAC), GRC, authentication, IAG, IAM, Group Management, Governance and Regulatory Compliance, Identity Management, Federation, User provisioning, Attestation, Separation of Duties, Identity and Access Management (IAM), Access Governance

    Innovation and Productivity Gains From Identity and Access Management

    Posted by Bradford Mandell on Tue, Jul 15, 2014

    IAM Innovation

     

    Security for identities.  Managing user access to applications.  Auditing user access.

    “Ugh”, you might think, “That sounds like more cost, more time, and more responsibility for IT”.

    But a platform approach to Identity and Access Management (IAM) that is rich in innovation can result in lower costs, better productivity, and reduced demands for IT resources, while providing managers with better and more timely information.

    Take for example a home healthcare provider with $2 billion in revenue and 40,000 employees in 40 states facing constant pressure to reduce costs as a result of declining government reimbursements for their services.  This organization had already used their considerable size advantage to create efficiencies and reduce costs wherever possible.  Then their Chief Security Officer (CSO) conducted a review of IAM technology and presented his management with a plan that would improve the productivity of their employees, reduce the workload on IT, improve the security for patient data and assist their organization in continuing to be a leader in the quality of patient services.

    Built from a series of acquisitions in an industry that experiences high turnover, this organization lacked an efficient process for provisioning home healthcare workers into the many web applications they need to perform their work.  The process began with HR creating a manual request for IT to provision a new user into the apps they require, and once this was completed, the new user had to register themselves and create a password in each application. This process was complex and required too much effort for the home healthcare employees to learn and to maintain.

    The CSO’s experience with several of the oldest and most installed IAM platforms made him wary of starting a new project with one of them because of their high licensing costs and the difficulty in customizing them to meet an enterprise’s specific needs.  He wanted a solution that would be easier to implement and easier to mantain.

    After evaluating multiple products, he chose the EmpowerID platform for its different and innovative approach to Identity and Access Management.  Built on a single codebase with a workflow core and shipping with hundreds of ready to deploy workflows, the CSO was impressed with EmpowerID's broad functionality and its ability to easily design and to automate complex IAM processes with its visual Workflow Designer. 

    The CSO determined during a software trial that EmpowerID’s powerful Role-Based Access Control (RBAC) engine could create effective roles based on both an employee’s place in the organizational hierarchy and their location, and it could scale easily for the size of their staff. EmpowerID proved itself to be flexible in also offering Attribute-Based Access Control (ABAC) for their scenarios where the use of contextual policies to govern access is more appropriate. 

    He also discovered that EmpowerID’s integrated Single Sign-On (SSO) module federates not only with more recent web applications that natively support SAML authentication, but also with legacy applications that lack SAML capabilities.  Thus he could accommodate all of his user scenarios end to end, from provisioning to access, using EmpowerID, rather than having to integrate two or more applications. 

    The CSO concluded that EmpowerID’s “all in one” approach could create the solution they needed in a shorter timeframe with fewer professional services and less risk to their project timeline and budget. The ability to show his management faster ROI helped him to obtain funding for the project. 

    EmpowerID’s User, Group and SSO Manager modules were then deployed to provision and to manage federated identity for the application portal, allowing new users to be added within hours, instead of days, and enabling the use of one login by a healthcare provider to access all of their applications. 

    New user onboarding was further simplified by creating a feed from the organization’s PeopleSoft HR application to EmpowerID, which in turn creates all the user accounts and access privileges in the applications they need, based on their business role. New users require less training and are ready to go to work as soon as they claim their identity upon first logging into the application portal.

    The home healthcare staff appreciate EmpowerID's friendly HTML5 user interfaces that adapt to the screen size of any device they use, whether a tablet or a smartphone, and the reduction in effort to get to their clinical applications, while patients are pleased that less time is consumed by administrative tasks during their scheduled visits. 

    EmpowerID’s multi-factor authentication capability (using an OATH token and SMS one time password) was implemented to strengthen system access security and to better protect the privacy of patient data, which is important in meeting regulatory and audit requirements.

    EmpowerID also assists the organization’s auditors with data governance – the discipline of ensuring that access to corporate and patient data is secure and is subject to the proper controls. EmpowerID not only improves the quality of data, is also supports configurable Separation of Duties (SOD) policies, attestation procedures and system dashboards for quick visibility of pending tasks and system statistics. EmpowerID provides dozens of reports out of the box and it supports Microsoft’s SQL Reporting Services to quickly provide the information that different users need.

    As a result of successfully automating their new user provisioning process and providing a seamless single-sign on experience for its home healthcare staff, this organization is realizing substantial productivity savings that will pay for EmpowerID in a period of just eighteen to twenty-four months. 

    The CSO’s vision for a single, flexible platform that could be implemented on-time and within budget to automate and to securely manage multiple aspects of the enterprise, creating new efficiencies and cost-savings, has been fully realized with EmpowerID's deployment.

    Ranked by KuppingerCole as a Product Leader, Innovation Leader and Overall Leader in their recent Leadership Compass for Identity Provisioning, EmpowerID helps diverse organizations across the globe improve identity security and access governance, increase productivity, lower costs, and improve service delivery through its innovative and cost-effective approach to IAM. 

     

    Learn More about IAM Cost Savings with EmpowerID

    Tags: Single Sign-on (SSO), Active Directory, GRC, Group Management, Governance and Regulatory Compliance, Identity Management, User provisioning, Data Governance, Attestation, Separation of Duties, Password management, Identity and Access Management (IAM), Access Governance

    Delegated User Provisioning Best Practices

    Posted by Edward Killeen on Wed, Nov 27, 2013

    Sometimes there is no authoritative source.  Sometimes you just have to say, "Bob, provision me a user."  These are the cases where you will need a very flexible user interface to control user provisioning workflows.

    delegated provisioningSee, that's the cool part, the UI is just what initiates the workflows in EmpowerID, the exact same workflows that are used when it detects a new employee in the HR system.  The same series of events are kicked off: assignment of roles, membership in groups, new accounts in the cloud, notification to the party planning committee, a single sign on dashboard.  It's all there, you are just starting it differently.

    Of course, authoritative sources are called that because they have authority.  You can trust them.  With delegated user provisioning, you need to have some additional controls.  The simplest and most efficient is to have an approval workflow shape where somebody in authority has to approve the new user.  Or approve any role with a security level over XYZ.  These approvals can be serial or parallel, they can go to someone in IT or HR or anywhere in between.  They can be decided based on who the new user is.  The important part is that one rogue employee won't be creating any domain admins named Joe Derp.

    Another consideration is the complexity of the user interface.  EmpowerID ships with over 400 usable out of the box identity management workflow templates.  About ten of these include user provisioning forms, ranging from what we call "super simple user provisioning" to "user provisioning". 

    The difference is what fields are required.  In super simple, the user puts in the name, department, title, and location of the user and EmpowerID dynamically assigns roles.  In simple, there is a dropdown of available roles depending on the attributes already defined and who the requester is (help desk can create X roles and HR can create Y roles for example).  There is also an IT based form where a sys admin who understands things like OU structures and the such can granularly define any attribute.

    Just my own personal opinion is that delegated user provisioning should always have an initial lifecycle.  This is easily accomplished by adding an expiration date dropdown on the form or creating a business rule in the workflow that it needs to be certified and renewed within that date period to continue its existence.  This is basically adding attestation to any user provisioning that happens outside of automated processes.

    The reason I believe this attestation and lifecycle are important is the use cases for delegated user provisioning.  The most obvious ones are:

    • temporary employees or contractors
    • task based highly privileged accounts
    • additional accounts for an existing user
    • partners and suppliers accounts

    None of these types of accounts should be subject to having perpetual access and permissions within your network.  With a strong IAM platform like EmpowerID, these security concerns can be alleviated even on users provisioned outside of normal channels.

    Take a look at this video demonstrating EmpowerID's role-based user provisioning; you can see some examples of the delegated user provisioning forms (because showing automated user provisioning makes for a boring demo :) ).  Then schedule a personalized demonstration where we can help you start designing your own user provisioning processes.

    Schedule a demo of Delegated User Provisioning

    Tags: User provisioning, Identity and Access Management (IAM)

    Identity Management training: the key concepts in action

    Posted by Edward Killeen on Tue, Nov 26, 2013

    identity management trainingEmpowerID believes in the philosophy that teaching a man to fish will keep him fed for a lifetime.  The same thing applies with identity management, it should not be a software that you need to keep hiring consultants every time you want to make a change to your business processes.

    EmpowerID is the best value in IAM with the least complexity.  The key is our all in one platform approach covering everything from SSO with Web Access Management, Provisioning and Identity administration, Governance, a Virtual Directory, multi-factor authentication, and a visual workflow platform all on a single code-base that was not acquired piece meal and stitched together.  EmpowerID delivers more value day one with over 400 usable IAM workflows out of the box.

    This is evident in our Identity Managment training program.  We offer both administrative and and developer training to teach you to fish and have an immediate impact on delivering IAM functionality out of the box day one.

    We provide an extensive Wiki that covers all of our documentaiton and is publicly available.  This wiki gives extensive instructions into the how and why of all of EmpowerID's identity management functionality.  Our customer forums give a place for customers to compare and contrast ideas and solutions while having a direct link not only to support staff but developers, architects and engineers as well.

    We have recently published overviews of the training to give a head start to customers wanting to see how the product works and is configured, along with identity management best practices.  They are on our YouTube channel here:

    One of our implementation engineers told me on my first day that he could have EmpowerID up and running and managing Active Directory automatically within two hours in an organization.  Adding additional identity components are just as efficient.

    Take a look at our identity management training and ask yourself, is my solution that straight forward?  Are my processes that good?  Do I know how to fish for identity management?

    Demo & Evaluate EmpowerID

     

    Tags: Identity and Access Management (IAM)

    Self Service Identity Management

    Posted by Edward Killeen on Thu, Nov 07, 2013

    How about a trick question?  What is your most authoritative source for identity information?  It's not that tricky....your HRIS.  But your actual users are an awfully close second.  They know themselves and if you give them a self service portal, they can make your life easier.

    self service identity managementThe real trick is what you allow them to update via self service.  Most shops allow some limited Active Directory self service.  But there is so much more that you can open up with a well designed self service identity management system...as long as you put controls, approvals and lifecycle into effect.

    EmpowerID's HTML5 interface gives users a clean view into any application or identity store via a single interface from any device.  Attributes, group and role memberships, and permissions for any identity store / application can be managed via the metadirectory with updates either pushed directly to the application or synchronized on a scheduled basis.

    Any field can be hidden, read-only, or editable based on the user's role(s).  Approval workflows are managed via EmpowerID's unique RBAR architecture (Rights Based Approval Routing), allowing you to easily manage who can and cannot make and approve changes.  Lifecycle can be applied to any object or membership, allowing you to have full identity lifecycle and temporary privileged access.

    But the most important factor is what your users have access to self-serve.  Where most solutions stop at Active Directory, EmpowerID just starts there.  If a user needs to change their home phone number, that information needs to filter to AD for the GAL, HR for contact information, the emergency notification system, and to benefits databases.  Important information like this should not be left to scripts written by some contractor who won't work there in 3 months.

    There are other glaring examples around group memberships which affect other systems.  Dynamic group memberships that are driven off of identity information.  Office locations that determine parking privileges.  Mobile phone numbers for second factor authentication and device registration.

    Think of all of the things your users know about themselves that you cannot find out.  That is your list of attributes and systems that you allow self service for.  Think of everyplace that those attributes need to be synchronized.  That is your list of applications, databases and directories that you need to connect to.  Think of everyone who can actually approve those changes, that is your RBAR structure.

    Allowing self service for identity management does not replace the connectors, synchronization and metadirectory.  It complements it and makes a more thorough identity management solution.

    Identity management self service demo

    Tags: Active Directory, Identity and Access Management (IAM)