Chris Hayes

Recent Posts

Turkey citizenship database leak highlights need for full database encryption

Posted by Chris Hayes on Tue, Apr 05, 2016


Citizens of Turkey woke up Monday with the knowledge that a Citizenship Database has been publicly dumped for anyone in the world to download and view.

The dumped database included:

  • National Identifier (TC Kimlik No)Screen_Shot_04-04-16_at_09.06_AM.png
  • First Name
  • Last Name
  • Mother's First Name
  • Father's First Name
  • Gender
  • City of Birth
  • Date of Birth
  • ID Registration City and District
  • Full Address



This database leak underlines why it is important to encrypt data at rest.  Most IAM projects implement 443 for access to the product, secure DMZ firewalls and Role Based Access Controls but neglect to implement encryption for the identity warehouse.  EmpowerID fully supports encryption of information in our identity warehouse and has been able to validate our latest release 2016 using these same encryption methods.

Notes from the database leaker

EmpowerID utilizes transparent data encryption (TDE) which provides full database-level encryption. TDE is the optimal choice for bulk encryption to meet regulatory compliance or corporate data security standards. TDE works at the file level, which is similar to two Windows® features: the Encrypting File System (EFS) and BitLocker™ Drive Encryption, the new volume-level encryption introduced in Windows Vista®, both of which also encrypt data on the hard drive.  This means that the identity and attribute information stored within EmpowerID will stay secure even if someone gets access to a backup of the database or gets access to the flat files from a server.

To learn more about how EmpowerID can utilize a fully encrypted database just click below.

Request a Demo


Tags: Data Governance, Identity and Access Management (IAM), Access Governance

Identity Spring Cleaning Tools from EmpowerID

Posted by Chris Hayes on Wed, Mar 09, 2016


Tackling the cleaning up of Active Directory can be a cumbersome chore to say the least.  Without the proper tools you can easily get stuck searching for expired accounts, groups with no members and even worse, users with access to resources that should have been removed.

EmpowerID 2016 connects and inventories all of your systems providing a unique platform to easily manage a spring cleanup.  Allowing your team to easily identify risky access, out of date users, groups with no members or even users with access they should not have it is the fastest way to get control of your current environment or even an environment that you are bringing on board.  Best of all EmpowerID enpowers your helpdesk and business users to manage things like password resets, group and application access and more.

Directory Cleanup Check List

Active Directory Cleanup:

EmpowerID continuously inventories and monitors your systems for changes.  This produces a large amount of actionable intelligence that can be used to clean up your directories. Common candidates for cleanup include:

  • Dormant Accounts - EmpowerID can help you identify user accounts that have not been used in a while and apply automated clean-up tasks such as removing group memberships.
  • Groups with No Owners – Groups without owners represent an audit risk and can often be old groups that are no longer used. EmpowerID assists with identifying owners and provides processes to assign ownership.
  • Groups with No Members - Groups with no members can be a potential security risk and are often an easy choice for cleanup.


Delegated Administration:

This creates an immense group management challenge for IT security departments as each system is a new security island with its own set of users and groups to manage. EmpowerID solves this security challenge by applying a single security model to replace security administration tools and removes the requirement to grant native permissions in order to perform identity administration. Group admins can manage groups in any system, on-premise and Cloud in a single web-based console with laborious multi-step processes automated by visually-designed workflows. The workload is further reduced by enabling business users the ability to manage access to the groups they own in a non-technical interface.


Dynamic Group Automation:

Automating the bulk of your group management tasks is the key to lowering management costs and keeping users happy and productive with shorter wait times. EmpowerID’s Dynamic Hierarchies engine is like auto-pilot for the most common security and distribution groups most organizations need. It automatically creates, manages the membership and retires groups based on the most common criteria (manager, department, location, etc.).

Manage On-Premise and Cloud Groups:

EmpowerID manages your groups wherever they might be. A huge library of connectors allows for rapid onboarding of commercial Cloud and on-premise applications. The most popular systems are fully supported with in-depth functionality for managing groups and roles in systems such as Office 365, Google Apps, Amazon AWS,, AD, LDAP, AS/400,, local groups on Windows Servers, SharePoint, and others. Custom-developed applications can be easily accommodated using the EmpowerID Universal Connector.


Compliance and Recertification:

EmpowerID will become the key tool allowing your directory security team to breeze through audits, saving time and money. The modern organization, has groups scattered across a wide mix of on-premise and Cloud applications and directories. This highly fragmented and siloed environment is a huge headache when it comes to producing the data required for periodic group membership recertification. This process becomes almost automatic as EmpowerID continuously monitors and inventories your on-premise and Cloud directories detecting groups memberships and any changes. EmpowerID handles the entire group lifecycle so when it comes around to audit time there already exists a complete audit trail for all group centered activities from self-service to delegated administration. Built-in attestation policies allow for rapid periodic recertification of group membership by their owners to eliminate the hassle of auditing this critical infrastructure. Risk-based separation of duties policies allow for toxic combinations of access to be defined, detected, and remediated if discovered.


Reporting and Alerting:

EmpowerID brings intelligence and in-depth visibility to assist with managing your Cloud and on-premise groups. All systems are continuously inventoried and monitored for changes. This includes the creation of new groups, group membership changes, and deletion of groups. All changes are logged and the source of the change is noted. Alerts can notify group owners and administrators when membership changes in sensitive groups. These changes can also be rolled back automatically if desired. Hundreds of statistics and metrics are displayed in friendly dashboards allowing visibility into how your environment is changing and a large list of out of the box reports keeps everyone up to date.


Please contact us to find out how we have helped hundreds of organizations get a handle of their identity landscape and how we can help you. 

Request a Demo

IAM Role Mining Powered by Machine Learning Algorithms

Posted by Chris Hayes on Mon, Feb 01, 2016


One of the largest issues facing an organizations identity and access management project is the task of creating appropriate management and business roles and the access those roles should provide.  We can all take a look at the structure of a company and say they should have an IT role, a Sales role, an HR role and Executive roles but what about trying to map out the permissions that large groups of people already have?

EmpowerID is excited to introduce Role Mining Campaigns powered by our unique machine learning algorithms.  EmpowerID simply inventories your systems allowing you to pick the data to include in the role campaign.  We then pull in the relevant entitlement data based on what you are targeting for the campaign, this can be user information, group membership, NTFS & folder permission, SharePoint rights and more.

The next step is to create Runs, these runs simply output optimized candidate roles based on all parameters (called bottom up role mining).  We then create a clustered entitlement map with ranked candidate roles allowing you to visualize this data on the map looking at overlap for roles as seen below.


As seen above, you can just at the current pockets of access assignments and create it as a possible candidate role!  This process not only saves so much time but also ensures you are taking a holistic look at the current rights.


We also allow you to see if this will possibly create a Separation of Duties policy violation before you create it as seen above.

Or maybe you'd like to hand pick your roles?  Below you can see we've just hand selected our roles and can now publish them.  This easily allows you to promote them to management roles or business roles while still optimizing to remove all of the direct assignments that the role grants.


With full support for both top down and bottom up role mining, EmpowerID continues to deliver the best product in the IAM space, saving you time and money!  Reach out today to learn more!

Request a Demo

EmpowerID Rings in 2016 with free Office 365 Manager Licenses

Posted by Chris Hayes on Wed, Jan 06, 2016

2016.jpgFree Office 365 Manager license with every User/Group Manager purchase!

EmpowerID is excited to announce starting Friday January 1, 2016 through Thursday March 31, 2016 we will be including our Office 365 Manager for free with every User Manager, Group Manager, or Exchange Manager purchase!  To receive this special deal, contact EmpowerID Sales today.

EmpowerID's New Year’s resolution is to help customers eliminate the user login hassle with SSO and unburden IT admins from repetitive Identity and Access administration tasks.  The EmpowerID Office 365 Manager allows organizations to securely administrate all aspects of Microsoft's Office 365 environment.  

Office 365 Manager extends the capabilities of EmpowerID User Manager and Group Manager to Microsoft’s Office 365 platform by providing these capabilities:

  • Single Sign-On (SSO)
  • Role-Based Delegated Administration (RBAC)
  • Automated Provisioning and Sync
  • Dynamic Group Management of Security and Distribution Groups
  • Multi-Factor Authentication
  • Access Recertification and Audit Reporting
  • Mailbox and Folder Permission Audit, Management, and Self-Service
  • Provides broader management functionality than Microsoft’s standalone admin tools

Not only can the EmpowerID platform consolidate all of your Office 365 management tasks, it can also provide a single set of friendly web and mobile interfaces for all of your Cloud and on-premise systems, including Active Directory, LDAP and enterprise applications.


Ready to learn more?

Request a Demo

Tags: Office 365

Encryption of IAM Data

Posted by Chris Hayes on Thu, Dec 17, 2015


2015 was a rough year for Identity and Access Management news.  Digital toymaker VTech lost 6.4 million children's names, birthdates, parents' email, mailing addresses and more.  Ashley Madison's data was exposed including email addresses, chat message data and more.  AT&T just agreed to pay $25 million as a result of 275,000 exposed customer names and other information.  Customer and employee identity data is extremely valuable.

Here at EmpowerID we've been working diligently to support an easy to use method of encryption for data stored in our Identity Warehouse.  We are now excited to fully support encryption of all data we inventory and store.  This means if someone gets access to data files on a server or to backups, your data is still protected!

By encrypting data at rest we can now prevent malicious parties from getting the database files and restoring them onto a system and browsing personally identifiable information (PII).  Identity data is encrypted using AES256 which also ensures compliance with many laws, regulations, and guidelines in different industries.

Below, encryption hierarchy with dotted lines representing the encryption used by TDE, courtesy of Microsoft



Supporting real-time I/O encryption of the EmpowerID 2016 Identity Warehouse means that the data is encrypted before even being written to disk and only decrypted when read into memory.  Verification is easy enough once the process is complete

 Below we can easily verify that the encryption process is complete.


Once encryption is complete you can look through backups to verify the data is encrypted.  Below on the left you can easily see unencrypted data containing PII, following encryption you can see a backup of the same database is now fully encrypted and unreadable.


If someone were able to get the Identity Warehouse database they would be unable to load it up to recover the data as you can see below.


So make 2016 the year you commit to encrypting employee and consumer data and the year you lower your exposure to data leaks!  Give us a call or click the link below for a quick demo of the EmpowerID difference.

Request a Demo

Enterprise IAM Controls for Resources in Amazon Web Services

Posted by Chris Hayes on Mon, Oct 19, 2015

Deploying servers out in AWS is great for a number of reasons; saving money, elastic capacity, increased speed.  There is a host of reasons that we won't even get into here.  One of the most important aspects of utilizing AWS is remembering the "Shared Responsibility Model" which basically says that you, the customer, are their partner when it comes to security and access controls for resources hosted in AWS.  

Amazon goes on to state that, "While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter."



All of that basically boils down to the cold, hard fact that you, the Amazon customer, need a comprehensive Identity and Access Management tool deployed to secure your resources in AWS.  EmpowerID customers have asked for a better solution for this emerging paradigm and our development team has delivered in the form of our EmpowerID AWS Manager.


Built from the ground up to deliver functionality not typically seen in an Identity and Access Management suite, our team has packed the AWS Manager with a lot of functionality.  Securing and managing RDP access, setting server uptime policies, even having the ability to directly start and stop servers in AWS directly from a dashboard ensures that you have total command over all aspects of your AWS environment.

Also included in the AWS Manager from EmpowerID is the ability to publish into our award winning IT Shop.  Business users can now find and request access to these resources.  Once requested, EmpowerID will send that request to an access owner who can approve it or reject it, and the user will be notified of the results!



The EmpowerID team is very excited about this new offering and will be hosting a webinar on October 29th at 1:00 pm Eastern, please follow the link and register today.

Topics will include:

  • Managing RDP access with enterprise policies
  • Managing uptime policies and time constraints for Servers hosted in AWS
  • Managing Privileged Vaulted Credentials
  • Reviewing Audit Logs

Give us a call or click the link below for a quick demo of the EmpowerID difference.

Request a Demo

Adding Intelligence to Active Directory with an Identity Warehouse

Posted by Chris Hayes on Wed, Sep 30, 2015

According to Microsoft, Active Directory™ service provides user and computer accounts and distribution and security groups.  This service is essential when trying to allow people to log into Microsoft Windows Workstations and running things like Group Policy's, publishing printers and providing DNS/DHCP services.

In a simple world, an architecture like this can sometimes suffice.


Where Active Directory comes up short is when you are trying to manage a global distribution of different domains.  Or trying to create an automated process that will create mailboxes in Office 365, automatically add someone to a group when their identity is created or they move to a different office.  When you want to assign an access owner to a file share and have all request for access to that share filter up to that person rather than have everyone call the helpdesk.

These are the reasons the EmpowerID Identity Warehouse was created.  We recognized the need for fine grained authorization and approval workflows and included them.  We knew the Identity Warehouse needed comprehensive RBAC and ABAC capabilities along with delegations and location awareness so we added that in too.

In a more complex world you need an Identity Warehouse


Only with an Identity Warehouse can you automate tasks like:

  • Create an Active Directory account based upon a new record in something like UltiPro, SAP or PeopleSoft
  • Assign group membership based upon a Role, Attribute or Location
  • Assign business users as "Access Owners" or gatekeepers for file shares, SharePoint sites and more.
  • Create and perform Audits, Certifications and Attestations
  • Provide fine grained authorization at an API level for other applications and services
  • Allow for self-registration of an account for your consumers and business partners
  • Create and publish any other type of workflow

The EmpowerID Identity Warehouse contains important entitlement and authorization data for your organization.  This information is updated regularly from other databases and data stores and you get to decide how each attribute flows.  The Identity Warehouse also contains all of the statistical and analytical tools required to give you an up to date view related to risk, governance and compliance.


Here are a few more examples of how you can use the EmpowerID Identity Warehouse:


The EmpowerID Identity Warehouse plays a critical role in your fast growing infrastructure.  Ensuring that the security controls you need in place strictly follow the business rules is really what it's all about.  We like to think of Active Directory as the motor and EmpowerID as the powertrain control module, taking in all of the sensor data and determining the exact air/fuel mixtures to ensure everything runs correctly.  It's this same concept between the Identity Warehouse and Active Directory, we monitor everything and determine just what needs to be done at the lower level of Active Directory.

Want to find out more, click through and request a quick demo.

Request a Demo


Introducing an Enterprise Toolset to Manage Amazon's Simple AD

Posted by Chris Hayes on Mon, Sep 14, 2015

Ready for another directory store?

EmpowerID is excited to announce new capabilities for managing identities and groups in Amazon's Simple AD!  This off premise directory from Amazon can be managed using the EmpowerID robust connector framework with features like:

  • Scheduled inventory to see what is out in Amazon's Simple AD
  • Automated User Account Provisioning using EmpowerID RBAC and ABAC rules
  • Full Audit control
  • Full Attestation and Certification
  • Ties into our unique AWS Server management capabilities

Let's take a deeper dive into the solution and see what accounts are out in our Amazon Simple AD tenant


Found the account we want to work on?  Let's dive a little deeper and add them into a group up in AWS

Screen_Shot_09-14-15_at_10.20_AMLet's review the group changes for the user below



And since we are talking Enterprise Controls, let's track down that change.  Who did it, when did it happen and what changed



As you can see, EmpowerID continues to lead the IAM marketplace with innovative features not found anywhere else.  When it comes to identities, roles and groups in Active Directory, SQL, Amazon AWS, Azure or anything else we have the right tools for the job.

Contact us today for a discussion on how we can help you manage identities in Amazon's Simple AD or anywhere else.

Request a Demo



The Most Important Question in Enterprise Authentication, Could You Answer it?

Posted by Chris Hayes on Wed, Aug 26, 2015


Application Access:  It's easy to provision using the standards and tools today.  Cookies, Headers, SAML, Kerberos, WS-Federation and OpenID, the tools are there and easier than ever to configure., Office 365, SharePoint, Box and more your users are getting into these applications without logging in multiple times (we hope, if not check out EmpowerID SSO).  For many organizations this is how the story goes.

  • User A needs access to Application B
  • User logs into a webserver with a credential
  • Webserver validates that credential
  • Webserver redirects User A to Application B
  • User A is in Application B
  • End of story
Yea, basic SSO portal right there

Yes, this is the basics of authentication, an SSO portal

But intelligent organizations should ask themselves questions like:

  • How long should User A have access to that application?
  • Who should authorize that User A should even have access to Application B?
  • How often should we review that User A should still have access to Application B?

Why are these important questions?  In IT we just know that access should be given or taken away.  We typically don't get involved in trying to answer a question like why should someone have access.  It's for this reason that many environments have layers and layers of access that's been granted, like a sediment layer, access has been given and never removed.  Nobody has ever bothered to ask the question why does this user have access to this application.

Enter the most important question in authentication today.  Why does a user have access to an application?  If we can answer that question than the other related questions fall into place, who gave them access and how long should that access last.  Before you start breaking out excel spreadsheets and walking the floors asking this question, let us propose a different route called automated attestation and certification.

EmpowerID ships with attestation, audit capabilities that slice and dice these tasks and automatically send them out to managers.  EmpowerID allows audit officers to choose what they want to certify allowing them to choose things like:

  • Groups
  • Applications
  • SharePoint sites
  • Files shares
  • And more

Once an auditor sets a date for the audit to be complete EmpowerID will automatically generate tasks for managers who can comment and certify as they see fit.


Audit owners can go in and review progress on the certification at any time to ensure you are on track.  


EmpowerID Attestation and Certification audits are all kept historically too so no matter when that question comes up you can always go back and see who certified the access and for what reason the access was granted.  Best of all, when that manager certifies that access EmpowerID allows the manager to specify how long that access should be valid for.  So short-term employee and vendor access just got that much easier to manage!

If you would like to discuss Attestation and Certification in more detail please click the link below and we will reach out.

Request a Demo

FIM vs EmpowerID - Building Identity Bridges That Scale

Posted by Chris Hayes on Mon, Aug 03, 2015

Microsoft FIM/Identity Manager is one of those tools that many organizations start out with when dealing with identity synchronization projects.  Testing the waters many times it's setup to flow identities and attributes to and from an HR database or even another Active Directory Forest.  When dealing with a few identities it works well enough but start asking it to deal with 10's of thousands of identities and millions of attribute changes and you had better clear your calendar for the rest of the week.


The problem many start to recognize is that the FIM sync engine is like a single lane bridge between identity stores.  Works great when you are servicing a very small town but when you are trying to service a busy city things will start backing up quickly.  The result of this architectural limitation of FIM can cause sync jobs can run days, even a week and in today's instant on/instant off world this can create serious issues.  When you disable an account in your directory store, expectations are that the change will be reflected in other directories pretty quickly, not in a week.



EmpowerID was built from the ground up to be truly scalable, each lane can be another EmpowerID server checking in to help process sync jobs to other identity stores.  Our distributable and scalable multi-instance sync engine is capable of handling the largest and most demanding environments with billions of objects being handled on time, every time.

The EmpowerID Inventory and Sync engines manage data housed in the Metadirectory allowing you to determine attribute flow between connected systems following these flow rules which you can configure for each account store we connect to.

  • No Sync: When this option is selected, no information flows between EmpowerID and the native system.
  • Bidirectional Flow: When this option is selected, changes made within EmpowerID update the native system and vice-versa.
  • Account Store Changes Only: When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
  • EmpowerID Changes Only: When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.

EmpowerID has created the best sync engine in the world giving you fine grained control over all aspects identity, group, role and attribute synchronization.  Give us a call or click the link below for a quick demo of the EmpowerID difference.

Request a Demo