Bradford Mandell

Recent Posts

The Dot Net Factory, LLC dba EmpowerID statement on privacy and status of EU-US data transfers post-Schrems II

Posted by Bradford Mandell on Sat, Aug 01, 2020

Summary

Context: The Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield (Privacy Shield) as a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. The CJEU continues to view standard contractual clauses (SCCs) as a valid mechanism in the abstract, though this may be challenged on a case-by-case basis if the circumstances surrounding the transfer impinge on the adequate level of protection afforded by the SCCs.

The Dot Net Factory, LLC dba EmpowerID action: In light of the CJEU’s ruling, The Dot Net Factory, LLC dba EmpowerID updated our Data Processing Addendum to, among other things, incorporate SCCs where required for the transfer of personal data outside of the EU or the UK. We are also continuing to monitor for further guidance from the EU supervisory authorities, including on any supplementary measures that we may undertake as a data importer.

Ongoing commitments: The Dot Net Factory, LLC dba EmpowerID upholds high standards of privacy and security for customer data. As such, we reiterate our commitment to provide for increased customer control over where their cloud data is stored and restrict access to such data, and to never sell customer data. In addition, we aim to be transparent with our customers about government requests that we receive for their data.


Background on changes to legal mechanisms for EU-US data transfer

On July 16, 2020, the CJEU invalidated Privacy Shield in the Schrems II case (also known as Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems). Privacy Shield was a voluntary program developed to enable companies to self-certify adherence to certain privacy protections for the transfer of personal data from the EU to the US. It was implemented to replace the Safe Harbor framework, which was struck down by the CJEU in 2015 and has since been operated by the US Dept. of Commerce. The recent CJEU decision echoes that of the 2015 ruling, concluding that US national security surveillance laws and programs are in conflict with Europeans’ fundamental right to privacy, and that the Privacy Shield did not provide an adequate level of protection or remedy to EU data subjects.

Although the CJEU invalidated Privacy Shield, the CJEU concluded that the SCCs, issued by the European Commission, continue to be a valid mechanism for companies to transfer personal data outside the EU, but may be challenged on a case-by-case basis, especially where national security laws conflict with the guarantees provided by the data importer in such clauses. As such, the CJEU noted that it’s the primary responsibility of the data exporter and data importer to assess whether supplemental measures are necessary to ensure an adequate level of protection, but did not specify what such supplemental measures could be. The European Data Protection Board recently also issued a statement that it’s analyzing the CJEU’s decision and expects to issue further guidance on what those supplemental measures could consist of.

 

The Dot Net Factory, LLC dba EmpowerID actions in the wake of Schrems II

Since this landmark ruling, The Dot Net Factory, LLC dba EmpowerID has taken immediate steps to ensure minimum disruption for our customers, including updating our Data Processing Addendum to incorporate SCCs to the extent required under applicable data protection law. The Data Processing Addendum also enumerates our commitments to security, confidentiality of processing, limitations on international transfers of personal data, cooperation with data subjects’ rights, notice of security incidents, and more.

Over the coming months, we anticipate the EU supervisory authorities to issue additional guidance on how to comply with the new legal landscape after the Schrems II decision, including what the supplementary measures could consist of. In addition, the current form of the SCCs were written before GDPR went into effect and may be due for an official revision; we continue to keep a close eye on forthcoming guidance to stay up to date.

In the meantime, we continue to uphold our obligations and commitments to our customers under our contracts, under GDPR, and under the Privacy Shield framework for the data we collected and transferred under that framework.

 

The Dot Net Factory, LLC dba EmpowerID’s ongoing commitment to privacy and security

While the CJEU’s ruling on the Privacy Shield complicates EU-US data transfers, it changes little regarding the paramount importance The Dot Net Factory, LLC dba EmpowerID places on the privacy and security of our customers’ data. The Dot Net Factory, LLC dba EmpowerID maintains a robust security and privacy program that is outlined in detail on our Trust page.

Importantly, The Dot Net Factory, LLC dba EmpowerID does not sell, rent, or trade customers’ personal data. When The Dot Net Factory, LLC dba EmpowerID accesses data hosted in the EU, it is in service to our customers, such as: to provide our customers 24/7 technical support for their most critical issues, to deliver the right security solutions or to optimize their experience. The Dot Net Factory, LLC dba EmpowerID also gives customers control over where their cloud data is stored regionally. In addition, The Dot Net Factory, LLC dba EmpowerID redirects to the customer any government requests for their data that we may receive, and contractually commits to providing advance written notice of any compulsory requests to access their data unless prohibited by law from doing so.

The Dot Net Factory, LLC dba EmpowerID remains committed to maintaining the highest levels of privacy and security for our customers, and will continue to drive enhancements to our data protection safeguards. For more information about our security and privacy program, please email privacy@empowerid.com.

Tags: GDPR, Privacy Shield, Privacy and EU-US Data Transfers

KuppingerCole Names EmpowerID as a Leader in Identity as a Service (IDaaS)

Posted by Bradford Mandell on Thu, Aug 17, 2017

9e58b0526a1a7b1ef541768df7d7.pngKuppingerCole, a respected global analyst focused on Information Security, examined 24 vendors in the Identity as a Service, Business to Enterprise market (IDaaS B2E) market.  EmpowerID was named as a Product Leader, a category which ranks vendors by functional strength and completeness of solution.  KuppingerCole stated in the report that EmpowerID "delivers a very broad feature set for Identity and Access Management, going well beyond Identity Provisioning but with tight integration to these core features."

KuppingerCole further recognized EmpowerID as an Innovation Leader, a measure of the platform's support for "leading-edge new features which deliver emerging customer requirements," and finally as an Overall Leader which measures leadership across all the factors they evaluate.

KuppingerCole noted that EmpowerID "takes a unique approach to IAM/IAG. It is built from scratch on a Business Process Management/Workflow platform" and the ability to modify and create visually designed workflows, "allows for great flexibility, while the product also delivers a broad set of out-of-the-box features."

Among top product leaders, EmpowerID differentiates itself by its innovative "everything is a workflow" approach to Identity and Access Management. Of EmpowerID, KuppingerCole stated "EmpowerID is a very interesting and innovative solution. It provides a well thought-out and flexible approach for Cloud IAM/IAG with strong Identity Federation and authentication support."

KuppingerCole also assigned EmpowerID the strongest ratings possible for the security, interoperability and usability subcategories of the Leadership Compass report.

The strength of EmpowerID's industry leading Identity and Access Management, Governance and Privileged Access Management feature set is derived from its all-in-one approach. It uses a single codebase, a common management console, and modern HTML5 adaptive user interfaces to combine high scalability and performance into a superior user experience. EmpowerID offers an Identity Warehouse to manage employee, partner, and consumer identities which are automated and secured by an Adaptive Authentication Engine, a powerful RBAC/ABAC engine, and over 750 out of the box workflows.

The breadth of EmpowerID's platform allows enterprises around the globe to extend their boundaries and to manage internal and client identities in on-premise, Cloud and hybrid environments.



To learn more about EmpowerID's strong, unique offering for business to employee IDaaS needs, read the full report: http://info.empowerid.com/download-the-free-kuppingercole-idaas-b2e-report-www

Tags: IAM, Federation, Identity and Access Management (IAM), IDaaS

B2C Single Sign On & Identity Management That Wins Over Consumers

Posted by Bradford Mandell on Mon, Oct 20, 2014

                              describe the image

Organizations that manage successful brands know what their customers want from a website experience and are able to provide it.

Consumers want simpler processes.  

They want a quick, seamless authentication experience. 

They want to get to a site from any device that is handy at the time, whether it’s a pc, a tablet or a smartphone.

They have lots of choices and they are bombarded with lots of information. Your branding must be visible and the flow of your customer through your site must be smooth so they will have a positive experience, remember you and want to return.

And your security for their identity needs to protect them and you without being obtrusive.

Your prize, if you capture consumers with a well-designed web presence, is a solid foundation for  business growth, faster fulfilment of your clients’ needs, and substantially greater efficiencies that can  reduce costs and drive profitability.

And of course you are supposed to accommodate all that and keep to a modest IT budget… phew!  

Here’s what it’s going to take:

  • A highly scalable Single Sign On (SSO) and Identity and Access Management (IAM) platform – one that can take you where your ambition wants to go.  Your IAM infrastructure may need to manage millions of users and tens of thousands of logins an hour.
  • Flexible branding – the login process can’t be generic, it and related Single Sign On (SSO) pages need to be customizable to your themes.
  • Support for social media logins is a must if you want to simplify the user experience and entice the widest number of users possible.
  • Self-service password reset and challenge questions that allows consumers to quickly get back in to your site if they forget their username or their password.
  • 2nd factor authentication capabilities and even identity validation will be needed if you need to provide an extra level of protection for your data or resources.  You may want the ability to step up authorization when a user needs to access more sensitive information.
  • A flexible API is another core need – on that can be embedded into your existing applications to connect to common authentication, provisioning and authorization processes.
  • You will want a licensing model that scales from a modest user base to one that is still affordable if you exceed your best expectations.
  • And while many SSO platforms claim that you can easily entrust provisioning to another platform that they can connect to, that’s going to cost you more money to develop, to implement and to support. So you will want a platform that is capable of integrating all of your essential identity management tasks from the start.
  • There is a lot of other technical stuff that you are going to want, like compatibility with all the major standards (SAML, WS-Fed, OAuth), password vaulting and reverse proxy for those legacy apps that can’t make a standard federated connection, but that still need to talk to your federated environment (because throwing out everything you own to pave way for new standards isn’t always practical).

There is a solution that provides all of the above: EmpowerID. 

EmpowerID is an integrated and modular platform, built on a single codebase and driven by workflow with prebuilt one-to-many SSO and Identity Management scenarios with the needs of consumers in mind. 

EmpowerID’s visual workflow designer and adaptive HTML5 interfaces offer a vastly improved and simplified approach to traditional SSO and IAM challenges.  It can be stood up in just a few days or weeks depending on the customization desired, instead of the months that other applications take. 

Most importantly, EmpowerID supports a satisfying access experience for consumers and drives strong ROI with its secure, seamless and flexible identity processes.  

                                                   Request a Demo

Tags: WS-Fed, authentication, Identity Management, Federation, consumers, SAML, Single Sign-on, Password management, SSO, social media

Innovation and Productivity Gains From Identity and Access Management

Posted by Bradford Mandell on Tue, Jul 15, 2014

IAM Innovation

 

Security for identities.  Managing user access to applications.  Auditing user access.

“Ugh”, you might think, “That sounds like more cost, more time, and more responsibility for IT”.

But a platform approach to Identity and Access Management (IAM) that is rich in innovation can result in lower costs, better productivity, and reduced demands for IT resources, while providing managers with better and more timely information.

Take for example a home healthcare provider with $2 billion in revenue and 40,000 employees in 40 states facing constant pressure to reduce costs as a result of declining government reimbursements for their services.  This organization had already used their considerable size advantage to create efficiencies and reduce costs wherever possible.  Then their Chief Security Officer (CSO) conducted a review of IAM technology and presented his management with a plan that would improve the productivity of their employees, reduce the workload on IT, improve the security for patient data and assist their organization in continuing to be a leader in the quality of patient services.

Built from a series of acquisitions in an industry that experiences high turnover, this organization lacked an efficient process for provisioning home healthcare workers into the many web applications they need to perform their work.  The process began with HR creating a manual request for IT to provision a new user into the apps they require, and once this was completed, the new user had to register themselves and create a password in each application. This process was complex and required too much effort for the home healthcare employees to learn and to maintain.

The CSO’s experience with several of the oldest and most installed IAM platforms made him wary of starting a new project with one of them because of their high licensing costs and the difficulty in customizing them to meet an enterprise’s specific needs.  He wanted a solution that would be easier to implement and easier to mantain.

After evaluating multiple products, he chose the EmpowerID platform for its different and innovative approach to Identity and Access Management.  Built on a single codebase with a workflow core and shipping with hundreds of ready to deploy workflows, the CSO was impressed with EmpowerID's broad functionality and its ability to easily design and to automate complex IAM processes with its visual Workflow Designer. 

The CSO determined during a software trial that EmpowerID’s powerful Role-Based Access Control (RBAC) engine could create effective roles based on both an employee’s place in the organizational hierarchy and their location, and it could scale easily for the size of their staff. EmpowerID proved itself to be flexible in also offering Attribute-Based Access Control (ABAC) for their scenarios where the use of contextual policies to govern access is more appropriate. 

He also discovered that EmpowerID’s integrated Single Sign-On (SSO) module federates not only with more recent web applications that natively support SAML authentication, but also with legacy applications that lack SAML capabilities.  Thus he could accommodate all of his user scenarios end to end, from provisioning to access, using EmpowerID, rather than having to integrate two or more applications. 

The CSO concluded that EmpowerID’s “all in one” approach could create the solution they needed in a shorter timeframe with fewer professional services and less risk to their project timeline and budget. The ability to show his management faster ROI helped him to obtain funding for the project. 

EmpowerID’s User, Group and SSO Manager modules were then deployed to provision and to manage federated identity for the application portal, allowing new users to be added within hours, instead of days, and enabling the use of one login by a healthcare provider to access all of their applications. 

New user onboarding was further simplified by creating a feed from the organization’s PeopleSoft HR application to EmpowerID, which in turn creates all the user accounts and access privileges in the applications they need, based on their business role. New users require less training and are ready to go to work as soon as they claim their identity upon first logging into the application portal.

The home healthcare staff appreciate EmpowerID's friendly HTML5 user interfaces that adapt to the screen size of any device they use, whether a tablet or a smartphone, and the reduction in effort to get to their clinical applications, while patients are pleased that less time is consumed by administrative tasks during their scheduled visits. 

EmpowerID’s multi-factor authentication capability (using an OATH token and SMS one time password) was implemented to strengthen system access security and to better protect the privacy of patient data, which is important in meeting regulatory and audit requirements.

EmpowerID also assists the organization’s auditors with data governance – the discipline of ensuring that access to corporate and patient data is secure and is subject to the proper controls. EmpowerID not only improves the quality of data, is also supports configurable Separation of Duties (SOD) policies, attestation procedures and system dashboards for quick visibility of pending tasks and system statistics. EmpowerID provides dozens of reports out of the box and it supports Microsoft’s SQL Reporting Services to quickly provide the information that different users need.

As a result of successfully automating their new user provisioning process and providing a seamless single-sign on experience for its home healthcare staff, this organization is realizing substantial productivity savings that will pay for EmpowerID in a period of just eighteen to twenty-four months. 

The CSO’s vision for a single, flexible platform that could be implemented on-time and within budget to automate and to securely manage multiple aspects of the enterprise, creating new efficiencies and cost-savings, has been fully realized with EmpowerID's deployment.

Ranked by KuppingerCole as a Product Leader, Innovation Leader and Overall Leader in their recent Leadership Compass for Identity Provisioning, EmpowerID helps diverse organizations across the globe improve identity security and access governance, increase productivity, lower costs, and improve service delivery through its innovative and cost-effective approach to IAM. 

 

Learn More about IAM Cost Savings with EmpowerID

Tags: Single Sign-on (SSO), Active Directory, GRC, Group Management, Governance and Regulatory Compliance, Identity Management, User provisioning, Data Governance, Attestation, Separation of Duties, Password management, Identity and Access Management (IAM), Access Governance

The best IDM software? Something different.

Posted by Bradford Mandell on Tue, Aug 07, 2012

Best IDM softwareWhat makes EmpowerID different?  In the crowded Identity and Access Management (IAM, also referred to as IDM) market, our slogan, “A new breed of identity management“ and a little of our history are helpful in understanding the answer to this question.

By 2005, we had spent three years developing and deploying an easy to use and quick to deploy Self-Service Password Management and User Provisioning product.  We realized that clients were consistently asking for many of the same features that couldn’t be found in one offering:

  1. The lower cost and ease of use of an application, but also the power and flexibility of a platform
  2. The ability to make Identity Management processes conform to their business practices, instead of making changes to accommodate the limitations of an IAM application
  3. A modular approach that allows them to buy just what they need now, with the ability to add support for additional directories, platforms, applications and federated single sign-on (SSO) later
  4. Freedom from vendor bias, meaning that they don’t want to sacrifice strong support of Microsoft platforms to get strong support for an Oracle, SAP or IBM platform, or any number of other standard and custom applications
  5. A high degree of integration among the moving parts of an Identity and Access Management (IAM) platform and a “single pane of glass” to see security across all connected applications, platforms and directories
  6. Powerful Role-Based Access Control (RBAC) that allows them to quickly configure access, views and control by a wide range of hierarchies and locations, but which still can have rights added or subtracted manually
  7. A standalone Metadirectory that allows them to store information and extended attributes without stuffing them into an internal system like Active Directory
  8. Highly flexible, modern user interfaces with “rights-trimmed” user views and support for corporate theming

The first thing that struck us when we reviewed this list of client requests was that we had to develop a fresh, innovative vision if we were to achieve all of these objectives in one solution.  We concluded that we had to think in terms of a platform, by which we mean a common set of code, logic, services, tools, and interfaces that could span every module that we would want to develop in the foreseeable future.  This platform would also have to offer redundancy, high availability and scalability to meet both the demands of the largest enterprises and the rapidly growing number of organizations that need to securely manage Identity information for their partners and customers.

Cobbling together different applications through licensing agreements or acquisitions would not accomplish a key goal for us that has eluded all other major vendors in the IAM market: producing a full-featured platform that could meet all of a client’s major goals while costing significantly less to develop and to expand, as well as costing our customers less to acquire and to maintain.  Key to this would be to build the entire platform on a single codebase that would allow for the accelerated development of new modules and features.

We realized we had only one option to include all of the items on our clients’ wish list: to start from scratch.  By taking a “greenfield” approach we sought to avoid the architectural and design constraints that limit our competitors and to allow us to offer a breakthrough price point for enterprises that had been excluded from acquiring traditional IAM platforms by their high initial cost and their labor intensive implementation and support requirements. 

Our first task was to decide which key elements would be essential to include in this new platform approach to Identity and Access Management, and these are the core components of EmpowerID that when combined make it truly different:

  • Workflow – not just a series of simple approvals that other vendors offer, but rather a comprehensive Business Process Automation (BPA) platform that provides the mechanism for executing every action taken by the IAM platform against other connected directories, applications and platforms.  We ship with over 375 workflows in our complete suite that can be installed and can start performing work in a day.  Our visual workflow designer can modify any workflow and create new ones and allows business managers to collaborate with developers by allowing them to see how IAM information flows and is controlled throughout their enterprise.  It collapses the time for producing client-specific customizations and it creates productivity gains through automation.
  • Metadirectory – a robust directory that stands apart from all other connected directories so that it can function as a full authoritative source of the “truth” about any identity and its attributes as provided by direct input to it, or by inventorying or directly querying in real-time any connected source.  This Metadirectory can be used to create and manage the lifecycle of an identity independently of any other directory.  It can exist outside of a corporate firewall to safely manage the increasingly complex world of Federated and Cloud Identity.  The Metadirectory also functions as a directory, enabling organizations to allow external partners and customers to authenticate without creating user accounts in the corporate Active Directory.
  • Role-Based Access Control (RBAC) – some applications claim to offer this, but a major platform must extend a robust vision of managing roles.  EmpowerID’s RBAC can determine rights from multiple hierarchies and locations.  It works in conjunction with Attribute Based Access Control (ABAC) and another unique contribution we have made to this technology, Rights Based Approval Routing (RBAR), to create remarkably powerful and efficient security with sophisticated approvals, Separation of Duties (SoD) and Attestation capabilities.
  • Flexible and modern User Interfaces (UI) – this would seem to be an obvious component, yet it is frequently overlooked by many vendors, despite being the face of the application that all users encounter.  We were determined to lead the industry with highly configurable UI that not only allows the security to control each user’s view, but that also enables client branding to create a rich user experience.  This is an important component in driving user acceptance and adoption of self-service components.

So how have we done?  In the four years since the first release of the EmpowerID platform, we have achieved a global presence in some of the world’s largest organizations and in market segments that include: finance, banks, regulatory agencies, governments, energy producers, healthcare, retail, manufacturers, advertising agencies, manufacturers, primary and secondary education, and software developers, among others.  We have single installations with hundreds of thousands of users managing millions of objects and many projects that connect and provide Identity Management for Cloud applications.

The distinguishing characteristics of our wins include:

  • We are highly competitive on the pricing of the EmpowerID suite while  offering lower implementation costs and shortened project timeframes due to our requiring less of the custom development and heavy scripting that characterizes our competitors
  • We have replaced many IAM applications or we coexist and interoperate in environments with existing IAM investments because of our ability to incorporate existing code with our open workflow platform and our flexible connector and communications models
  • Clients make extensive use of our workflow, using it to automate and to design and automate many non-IAM functions because of the extraordinary capabilities of the platform that allow it to drive efficiencies with secure Business Process Automation.  Some clients have gone as far as to build complete applications on their own using our workflow designer.
  • We retain responsibility for a successful completed project – we don’t push our clients to buy EmpowerID independent of delivering a successfully completed project like much of our competition that relies on partners of varying quality to deliver a finished result

We continue to aggressively develop EmpowerID, with the release in March of the 2012 version of EmpowerID in conjunction with two new modules: SSO Manager, which integrates Federated Single Sign-On (SSO) into the platform and File Share Manager, which provides shared folder permissions inventory and management.

EmpowerID allows enterprises to securely manage their identities while generating cost-savings from automating and securely delegating tasks.  Our goal is to continue to make Identity and Access Management easier to implement and easier to maintain, permitting an increasingly broader range of enterprises to own the critical IAM technology they need to realize their automation, compliance and Cloud goals.

Discover the new breed in IAM software by exploring EmpowerID.

Demo & Evaluate EmpowerID

Tags: Identity and Access Management (IAM)