Edward Killeen

Recent Posts

Delegated User Provisioning Best Practices

Posted by Edward Killeen on Wed, Nov 27, 2013

Sometimes there is no authoritative source.  Sometimes you just have to say, "Bob, provision me a user."  These are the cases where you will need a very flexible user interface to control user provisioning workflows.

delegated provisioningSee, that's the cool part, the UI is just what initiates the workflows in EmpowerID, the exact same workflows that are used when it detects a new employee in the HR system.  The same series of events are kicked off: assignment of roles, membership in groups, new accounts in the cloud, notification to the party planning committee, a single sign on dashboard.  It's all there, you are just starting it differently.

Of course, authoritative sources are called that because they have authority.  You can trust them.  With delegated user provisioning, you need to have some additional controls.  The simplest and most efficient is to have an approval workflow shape where somebody in authority has to approve the new user.  Or approve any role with a security level over XYZ.  These approvals can be serial or parallel, they can go to someone in IT or HR or anywhere in between.  They can be decided based on who the new user is.  The important part is that one rogue employee won't be creating any domain admins named Joe Derp.

Another consideration is the complexity of the user interface.  EmpowerID ships with over 400 usable out of the box identity management workflow templates.  About ten of these include user provisioning forms, ranging from what we call "super simple user provisioning" to "user provisioning". 

The difference is what fields are required.  In super simple, the user puts in the name, department, title, and location of the user and EmpowerID dynamically assigns roles.  In simple, there is a dropdown of available roles depending on the attributes already defined and who the requester is (help desk can create X roles and HR can create Y roles for example).  There is also an IT based form where a sys admin who understands things like OU structures and the such can granularly define any attribute.

Just my own personal opinion is that delegated user provisioning should always have an initial lifecycle.  This is easily accomplished by adding an expiration date dropdown on the form or creating a business rule in the workflow that it needs to be certified and renewed within that date period to continue its existence.  This is basically adding attestation to any user provisioning that happens outside of automated processes.

The reason I believe this attestation and lifecycle are important is the use cases for delegated user provisioning.  The most obvious ones are:

  • temporary employees or contractors
  • task based highly privileged accounts
  • additional accounts for an existing user
  • partners and suppliers accounts

None of these types of accounts should be subject to having perpetual access and permissions within your network.  With a strong IAM platform like EmpowerID, these security concerns can be alleviated even on users provisioned outside of normal channels.

Take a look at this video demonstrating EmpowerID's role-based user provisioning; you can see some examples of the delegated user provisioning forms (because showing automated user provisioning makes for a boring demo :) ).  Then schedule a personalized demonstration where we can help you start designing your own user provisioning processes.

Schedule a demo of Delegated User Provisioning

Tags: User provisioning, Identity and Access Management (IAM)

Identity Management training: the key concepts in action

Posted by Edward Killeen on Tue, Nov 26, 2013

identity management trainingEmpowerID believes in the philosophy that teaching a man to fish will keep him fed for a lifetime.  The same thing applies with identity management, it should not be a software that you need to keep hiring consultants every time you want to make a change to your business processes.

EmpowerID is the best value in IAM with the least complexity.  The key is our all in one platform approach covering everything from SSO with Web Access Management, Provisioning and Identity administration, Governance, a Virtual Directory, multi-factor authentication, and a visual workflow platform all on a single code-base that was not acquired piece meal and stitched together.  EmpowerID delivers more value day one with over 400 usable IAM workflows out of the box.

This is evident in our Identity Managment training program.  We offer both administrative and and developer training to teach you to fish and have an immediate impact on delivering IAM functionality out of the box day one.

We provide an extensive Wiki that covers all of our documentaiton and is publicly available.  This wiki gives extensive instructions into the how and why of all of EmpowerID's identity management functionality.  Our customer forums give a place for customers to compare and contrast ideas and solutions while having a direct link not only to support staff but developers, architects and engineers as well.

We have recently published overviews of the training to give a head start to customers wanting to see how the product works and is configured, along with identity management best practices.  They are on our YouTube channel here:

One of our implementation engineers told me on my first day that he could have EmpowerID up and running and managing Active Directory automatically within two hours in an organization.  Adding additional identity components are just as efficient.

Take a look at our identity management training and ask yourself, is my solution that straight forward?  Are my processes that good?  Do I know how to fish for identity management?

Demo & Evaluate EmpowerID


Tags: Identity and Access Management (IAM)

Active Directory synchronization from multiple sources

Posted by Edward Killeen on Wed, Nov 20, 2013

Active Directory has to be accurate.  It is too important to security, productivity and your sanity to let its identity data be wrong.  Users need AD to log on to the network, applications need AD to resolve permissions, and everyone needs groups for email.

active directory synchronizationThe problem is that all of that identity information that you need to synchronize with Active Directory is in different places.  The old days of writing a script to copy department code from your HRIS is gone; between network complexity and the cloud, you need a more powerful flexible identity synchronization solution.

EmpowerID employs a metadirectory to create a hub and spoke approach to identity and Active Directory synchronization.  The metadirectory becomes the full authoritative source for all identity information, using flexible attribute synchronization rules to move identity data from all sources to this central identity store.

From the metadirectory, you can then take all of the identity information for the user and synchronize it to Active Directory, then dynamically generating groups and roles for the user.  The attribute flow can be bi-directional, uni-directional, across forest and domain boundaries, to and from cloud applications.  The sky is the limit.

One of the big tricks is then managing data outside of ADUC.  EmpowerID not only has this powerful synchronization engine, but also provides AD self service with very flexible approval workflow capabilities.  The user can change their mobile phone number but will need manager approval to update their title, or IT approval to join the domain admin group.  Using EmpowerID's unique Rights Based Approval Routing (RBAR) technology, these approval workflows can be configured exceptionally easily and quickly.

Your network both on premise and cloud based has gotten big and complex but keeping AD accurate is simple with EmpowerID's combination of AD synchronization and AD self service.  Learn more about how to keep Active Directory accurate with a personalized demo or download this whitepaper.

Download whitepaper Active Directory Management

Tags: Active Directory

Self Service Identity Management

Posted by Edward Killeen on Thu, Nov 07, 2013

How about a trick question?  What is your most authoritative source for identity information?  It's not that tricky....your HRIS.  But your actual users are an awfully close second.  They know themselves and if you give them a self service portal, they can make your life easier.

self service identity managementThe real trick is what you allow them to update via self service.  Most shops allow some limited Active Directory self service.  But there is so much more that you can open up with a well designed self service identity management system...as long as you put controls, approvals and lifecycle into effect.

EmpowerID's HTML5 interface gives users a clean view into any application or identity store via a single interface from any device.  Attributes, group and role memberships, and permissions for any identity store / application can be managed via the metadirectory with updates either pushed directly to the application or synchronized on a scheduled basis.

Any field can be hidden, read-only, or editable based on the user's role(s).  Approval workflows are managed via EmpowerID's unique RBAR architecture (Rights Based Approval Routing), allowing you to easily manage who can and cannot make and approve changes.  Lifecycle can be applied to any object or membership, allowing you to have full identity lifecycle and temporary privileged access.

But the most important factor is what your users have access to self-serve.  Where most solutions stop at Active Directory, EmpowerID just starts there.  If a user needs to change their home phone number, that information needs to filter to AD for the GAL, HR for contact information, the emergency notification system, and to benefits databases.  Important information like this should not be left to scripts written by some contractor who won't work there in 3 months.

There are other glaring examples around group memberships which affect other systems.  Dynamic group memberships that are driven off of identity information.  Office locations that determine parking privileges.  Mobile phone numbers for second factor authentication and device registration.

Think of all of the things your users know about themselves that you cannot find out.  That is your list of attributes and systems that you allow self service for.  Think of everyplace that those attributes need to be synchronized.  That is your list of applications, databases and directories that you need to connect to.  Think of everyone who can actually approve those changes, that is your RBAR structure.

Allowing self service for identity management does not replace the connectors, synchronization and metadirectory.  It complements it and makes a more thorough identity management solution.

Identity management self service demo

Tags: Active Directory, Identity and Access Management (IAM)

Identity lifecycle management: users and groups

Posted by Edward Killeen on Tue, Nov 05, 2013

Every beginning has its end.  What goes up most go down.  The circle of life.

identity lifecycleLifecycle exists everywhere, but very specifically in identity management.  The "phrase du jour" appears to be Identity Governance and Administration but at one point it was Identity Lifecycle Management...lifecycle is the governance and administration part of the new phrase.

Going through customer requirements every day, I noticed that lifecycle is sometimes forgotten due to these new phrases.  But the biggest security threat you have is the users who have access that are no longer with your firm.   Or have a new less secure job within the firm.  Or were a contractor that is now working with your competitor.

Two objects within your identity store need lifecycle most desperately: users and groups/roles.  If you manage those, the permissions will follow.  These two objects need several actions: start/stop dates and attestation / certification.  Basically set the parameters of the lifecycle and give a mechanism to approve that identity lifecycle and allow exceptions.

Let's start with user lifecycle.  You have several types of users: internal & external, person & application, permanent & temporary.

  • Internal/external users: these should be in a metadirectory that allows you to manage them separately and not equally.  Internal users should have their lifecycle determined by an HR system, you really don't need to set an expiration date unless they are temps/contractors.  External users should have a set policy on how long they live with an internal user attesting to their account on a scheduled basis.
  • Person v. application users: The person object is an EmpowerID terminlogy to note the user's identity, linking each application user account (AD, SalesForce, Google Apps for example) to the person object.  Application accounts should either have a lifecycle that needs attestation and certification or be tied to a role or group membership (which likewise has a lifecycle).
  • Permanent v. temporary users:  Temporary users come with a builtin lifecycle, you know that you are only authorized to hire a contractor for a 3 month engagement, it is easy to tie an expiration date to that user but you need to have an attestation workflow that easily extends the user without having to re-grant all of their privileges.

For role and group lifecycle, you need to manage three things: the lifecycle of the role/group itself, the membership of that role/group, and the permissions that the role/group has.  EmpowerID delivers stock workflow templates for all of these lifecycle actions. 

  • The lifecycle of the role/group itself: This is similar to a user lifecycle in that the business owner of the role and/or group needs to attest to its usefulness to the business every x months.  The ability to determine different lifecycles for each role/group is essential as well as have some never expire roles (domain admins for example).
  • The membership of that role/group:  The membership certification of a group is a regulatory requirement in many industries but one that is often overlooked.  The business owner should have a way to either certify the rule that populates the group (clinicians in Ohio for example) or the exact membership.  Any membership exception needs to be noted and certified as well.
  • The permissions that the role/group has: Once you know the group should exist and the membership is correct, the owner of the resource should attest to which groups and/or roles have access.  They don't need to worry about whether the membership is correct, the proper business owner already did that, they just need to say "yes, my patient records should be accessed by Ohio clinicians".

These identity lifecycle workflows can be incorporated into your provisioning, audit and governance workflows without much more effort.  You will have better regulatory compliance, your business will be more secure, and your users will be the right users having the right access to the right resources.  Schedule a demo of how identity lifecycle management should work now.

identity lifecycle demo

Tags: Identity and Access Management (IAM)

The marriage of access governance and access control

Posted by Edward Killeen on Fri, Nov 01, 2013

marriage of access governance and access controlI might be splitting hairs but access governance and access control are different animals...yet different animals that belong to the same species.  I'm picturing a doberman dachsund mix, cute AND effective as a guard dog!

Most Identity & Access Management (IAM) projects seem to focus on one or the other and often end up with two products, one for access control and one providing access governance.  But why wouldn't you want one solution providing both aspects of access, looking forward and looking backward.

EmpowerID's Role Based Access Control (RBAC) engine secures resources, manages roles and permissions, manages Separation of Duties (SOD), and has a powerfule multi-tier attestation capability.  In addition to RBAC, EmpowerID also incorporates Attribute Based Access Control (ABAC) into its capabilities for finer grained permissions delivered at run-time.  Temporary Privileged Access (TPA) helps keep your organization following the principle of least privilege.

That is access control.  All of these permissions and roles are stored in the EmpowerID metadirectory and projected into other platforms (AD, UNIX) and applications (cloud and on-premise) to give a comprehensive access control platform for the entire enterprise.

And that is the key, it is stored centrally.  All access control for all connected systems and applications.  Sitting there in a comprehensive, scalable, secure metadirectory.  And within that same platform that is controlling all of this access are the access governance workflows.

Access governance comes in two flavors: audit-driven and business-driven.  Auditors usually want reports and stacks of paper detailing all of the SOD violations, the excess permissions, the compliance issues.  Business owners want the same thing but also want the ability to effect the change immediately to remedy an issue.

EmpowerID gives a 360 degree view of permissions to address this (and actually, auditors appreciate this too!):

  • Who is a member of a role and/or group
  • What resources does that role and/or group have access to
  • What users/roles/groups have access to a particular resource

So, you look at it from the user perspective, the role perspective, and the resource perspective.  At any point, with the business-driven access governance approach, the business owner can correct an issue, authorize an exception, or delegate the action.  EmpowerID's approval workflows can escalate anything and all of these actions are then reported for the audit-driven access governance.

The access governance is managed from within the exact same user interface as the access control which give a familiar look and feel and the workflows within a mouse click to fix them.

Access Governance and Access Control do not have to be separate.  Provide the auditor the tools for access governance, but fix the access issues as they happen, not once an auditor finds them.

Click me

Tags: Role Based Access Control (RBAC)

Cloud SSO from mobile devices and your desktop

Posted by Edward Killeen on Thu, Oct 31, 2013

cloud SSO doctorWe have a very large home healthcare client with a very common problem: most of their employees are on the road needing access to corporate and cloud applications using a tablet.  These users have numerous critical applications they need to access for medical history, prescriptions, scheduling and all of the traditional cloud applications.  If they couldn't authenticate and log on, they certainly could not call the helpdesk while sitting with their patients.

The solution to the problem consisted of three parts:

  1. Single sign-on using a combination of Federation, Web Access Management (WAM), and password vaulting.
  2. Role based access control to give the mobile user the correct access within applications.
  3. Two Factor Authentication using OATH tokens for high security applications.

Single Sign-on to these corporate and cloud applications was the first priority.  Because EmpowerID has a metadirectory that inventories and synchronizes identities with all of the applications, we know who the users are.  We configured EmpowerID to authenticate the user and present a unified dashboard regardless of the method used for single sign-on.  Several of the applications were federated using SAML, Web Access Managent (WAM) was used for most, and one lone legacy app was handled with secure password vaulting.

With a mixture of on-premise and cloud applications, this unified interface is essential for the user experience.  EmpowerID's user interface is HTML5 so it configures for the device, giving a modern clean appearance regardless of the screen dimensions (smartphone, tablet, laptop).  Device registration adds another layer of security as IT can keep track of the devices used in the field, even limiting access to corporate issued devices in some divisions.

Cloud SSO

Of course you need to add RBAC to the mix.  A nurse doesn't have the same access needs as a doctor or technician or delivery manager.  Not only are the SSO dashboards security trimmed based on role(s) but EmpowerID's connectors can project roles into the applications whether they be cloud or on-premise to give the correct access within the application.

These same roles are then used to determine when to demand two factor authentication.  Based on a combination of the user's role and the security level of the application being accessed, EmpowerID will demand a second factor using its OATH server.  Issuing this OATH token gives a layer of security for both the CISO and the auditors.

Accessing today's complex mix of on-premise and cloud applications from a complex mix of mobile and desktop devices is, in a word, complex.  EmpowerID's mix of SSO methods, RBAC workflows and metadirectory simplifies it not only for your users but for IT as well.  Schedule a demo and see how Cloud SSO can be made less complex.

Schedule a cloudy demo!

Tags: Single Sign-on (SSO)

Active Directory management without ADUC

Posted by Edward Killeen on Tue, Oct 29, 2013

active directory management without ADUCActive Directory is a bear to manage through ADUC.  It is clumsy and all-encompassing and the ability to manage granulary is exceptionally complex.  Delegating and instituting fine grained permissions requires deep and arcane knowledge of Active Directory.  In short, Active Directory management is difficult with ADUC and it doesn't have to be that way.

EmpowerID is a full IAM suite that has the ability to specifically manage Active Directory exactly the way you need, either through delegation or automation.  The actual changes are made in the EmpowerID metadirectory with a very well established and powerful connector to Active Directory.  So, you manage with EmpowerID's RBAC structure and then send those changes to AD.

One benefit of this structure is that you can manage multiple domains and forests from a single instance of EmpowerID.  Your helpdesk in Forest A can manage users in Forest B.  GAL synch is a breeze.

Another advantage is the full auditing controls of EmpowerID.  The ability to institute attestation and lifecycle on any AD object.  Full reporting and audit grids are available for business users and auditors.  Separation of duties can be applied from groups, OUs, roles and managed even cross forest if necessary.

Self service Active Directory management can be rolled out based on the user's roles, giving everybody the exact access to change identity attributes or group memberships that their roles allow.  Approval workflows are easy to configure using EmpowerID's proprietary Rights Based Approval Routing (RBAR).

Dynamic memberships in roles and groups are managed easily and efficiently in EmpowerID.  Group membership is always up to date with the ability to read identity attributes not only from Active Directory but any other identity store.

Everything can have a lifecycle, giving a 360 degree view of attestation and the ability to certify and approve lifecycle attestation from within emails.  Delegation and auditing of attestation should be a given.

Break glass permission workflows are available for temporary privileged access.  So, if an admin needs emergency access to a server, they can run the workflow, be granted temporary access, and have that access completely auditable and reported to the CISO.

If changes are made natively in ADUC, you can have a workflow to roll them back, report on those native changes, or send them for further approval.  Most importantly, with EmpowerID, you can completely shut off native ADUC access.  Many of our customers do this, having all changes made from within EmpowerID.

Active Directory management can be a lot better than ADUC will ever allow.  Read our whitepaper on replacing ADUC and improve your AD management with fewer resources.

Download whitepaper Active Directory Management

Tags: Active Directory

Web and cloud single sign on in the modern world

Posted by Edward Killeen on Fri, Oct 25, 2013

The average corporate user has to access over 16 applications in the course of their jobs, that can be up to 16 sets of credentials (username and password).  Assuming 30 seconds of extra time per credential, that's about 40 minutes per week wasted on usernames and passwords.  Factor in a forgotten or locked password per week and you are up to almost an hour spent per week dealing with this wholly un-neccessary routine of passwords.

Why?  Single sign on.  It is better, it's easier, it's more secure.

Your user has to authenticate at least once, usually with their Windows credentials.  Now you know who they are.  You know what applications they have access to, both on premise and cloud.  So why are they having to continually prove their identities to each application?

Web and cloud single sign onOf those, 16 web and cloud applications, probably half of them support federation, usually SAML or OAuth.  Note: EmpowerID supports SAML, OAuth, OpenID, WS-Trust, and WS-Federation.  You can federate with those applications, knowing that it trusts that you know who you users are.  Your Identity Provider (EmpowerID) will simply send a token to that application verifying who your user is and the access they have.  No username or password typed.

For those web applications that are not federated, Web Access Management (WAM) is the way to go.  For these applications, EmpowerID either uses an agent in the application or a reverse proxy to secure the URL and pass a secure header variable with your user's credentials.  This tried and true method can usually cover a quarter of applications.

For those remaining applications that cannot federate or use WAM, secure password vaulting can keep the exact same SSO experience for your users.  Your user will claim the account, enter their username and password ONCE, and EmpowerID will encrypt and pass these credentials as your user signs in.

Your users will have a single SSO dashboard for all of these applications and never have to type another set of credentials for any web applications, on premise or the cloud.

That being said, making it too easy can be an issue sometimes as well.  Say one of those web applications stores all of the company secrets, like the Colonel's secret recipe or the location of the exhaust vent on the Death Star.  You have to secure that, right? 

That's when you add a second factor authentication to that specific application.  Incorporate an OATH token into the authentication process for that application, send it to a known device for the user and be doubly sure that they are who they say they are.  With EmpowerID, this two factor authentication can be added into any SSO workflow and even be based on the user's role.

Save your users time while increasing your security seems like a win-win situation with single sign on.  Schedule a demonstration of EmpowerID's complete SSO capabilities and/or download our whitepaper on the Top 5 Federated Single Sign On Scenarios.

Click me

Tags: Single Sign-on (SSO)

Delegate with Active Directory Self Service

Posted by Edward Killeen on Wed, Oct 23, 2013

There is a saying in Identity Management: "What you can't automate, delegate."  It may be something that only I say, but it should be said more often.  Because following that credo improves security, productivity and the bottom line.

active directory self serviceThe project list of things to automate is a mile long, starting with user provisioning and permissions, group and role memberships, identity synchronization, and so on.  For delegation, the list is equally as long -- password reset, group membership, single sign-on, cloud accounts, and the lowest hanging fruit: Active Directory self-service.

Active Directory is a tricky beast, there are parts of it you need to completely cordon off.  You can't let anyone mess with the OU structure or change their own title or delete user accounts.  But you do want them to update their own mobile phone number, change the title of the user reporting to them, join a distribution group, or update their password.  Within ADUC, it's all or nothing, there isn't a way to manage it granularly like this.

The key to any AD self service solution is to have controls in place; an RBAC policy that defines who can do what without undue amounts of configuration.  You need to be able to define who can do what action (change a password, update phone numbers, create a group), who needs to approve it, and what is even shown to each user.  Having a dynamically maintained role structure and Rights-based approval routing (RBAR) allows you to have this level of granularity.

EmpowerID's HTML5 user interface means that updates can be made from any device, its unique combination of RBAC and ABAC allows for very fine grained permissions, and RBAR means that you don't have to define every single permission for approvals, it is all handled within the system.

With all of this delegation power available from the self service interface, native access can be shut down to ADUC.  You can have admin roles, help desk roles, manager roles, user roles, and all of it managed dynamically.  No more accidental deletion of an OU because you had to give an intern access to ADUC to change a user's telephone number (true story).

What separates a full IAM solution from a point solution is what it does with this Active Directory information.  An IAM solution can take these changes to AD and flow them to other identity stores and applications.  For example, the phone number change can update the emergency contact list, a title change can update HRIS once an approval workflow is satisfied, a change in a security group can update a user's role in a cloud application.

I'm not sure if you noticed in this post, but this is all delegated or automated.  IT just configures it using EmpowerID's visual workflow studio and users and computers do the rest.  Delegate out this lowest hanging of all fruit, AD self service, and improve security, productivity and the bottom line!

Download whitepaper Active Directory Management

Tags: Active Directory