All-In-One Identity Management and Cloud Security

Andras Cser of Forrester writes that XACML is Dead.  The first analyst question I was asked as head of marketing at EmpowerID was, "do you support XACML?"  The easy answer was (and is), "we will when application vendors do."  Andras' first point as the cause of the death of XACML: "Lack of broad adoption."

Andras' second point is the one that really gets to the technical heart of the matter rather than the logistical: XACMML's "inability to serve the federated, extended enterprise."  Identity and Access Management (IAM) has moved way beyond the borders of an Active Directory forest.  Organizations are managing their internal users, partners, customers, and contractors and need a flexible authentication and authorization system that can accomodate the unique needs of each constituency.

Additionally, the applications they are accessing are growing more varied and widespread.  You have legacy applications, cloud applications, web applications, and mobile applications.  Organizations demand an IAM platform that can authenticate and authorize not against the ones that support a specific standard, but all of them.

So, while some analysts have been trumpeting loudly that XACML is going to make authorization easy and standards based, the market and forward thinking analysts like Andras have realized that IAM in today's world is too complicated for it.

Unfortunately, this leaves us at the question: how the heck do we manage authorization in this new complicated world?  We believe that EmpowerID has hit on the best way to manage it, by integrating roles into every single aspect of IAM from provisioning to authentication to password reset to SSO.  Making your roles pervasive in all aspects of IAM gives you flexibility on the who has access to what and when question.

EmpowerID's role engine was designed as part of a purpose-built single codebase IAM platform; roles fit in as an integral part of each IAM function.  Our polyarchical role structure is flexible and intuitive, allowing organizations a tremendous amount of flexibility in how they apply permissions and authorization.

When roles are too static, we combine ABAC with RBAC to give runtime decisions based on attributes in any connected system, giving even more flexibility.

EmpowerID includes an advanced authorization policy engine that allows organizations to define a user’s access to a diverse set of corporate and cloud-hosted resources via flexible RBAC and ABAC rules. This “resultant access” information is then either consumed or “pulled” by systems that support leveraging an external authorization engine to make access decisions or “pushed” down onto systems that don’t.

Read more about EmpowerID's authorization engine, schedule a demo, or request a whitepaper on Best Practices in Enterprise Authorization.  XACML isn't walking through that door ready to save enterprise authorization, take a look at a solution that will.

Cloud SSO is essential for productivity in your organization.  In fact, it also reduces help desk costs and can improve security.  Users can log into applications faster and with fewer obstacles.  No more lost passwords equals fewer help desk calls.  And, for the first time ever, IT has a better understanding of all of the cloud applications and user accounts in their identity ecosystem.

Here is the rub: you cannot federate with all applications.  It would be wonderful if SAML, OpenID, OAuth, et cetera were ubiquitous and you would have quick and easy federation with all of them.  In fact, we have a whitepaper on the Top 5 Federated SSO scenarios for those applications that do support federation.

So, what do you do if it doesn't support federation?  EmpowerID and its webform SSO.  What this does for you is to allow your users to claim accounts, enter their credentials and then future logins are completely single sign-on.  In fact, the user experience is exactly the same for both types of SSO, giving an even simpler user experience for your users.

Here is a demonstration of that user experience:

Now that you have your users single signing on to ALL of their applications, you get into some of the more exciting aspects of Identity and Access Management.  The same platform (EmpowerID) that is providing SSO also provisions users into these cloud applications.  Even going so far as being role based cloud provisioning.  So, only users in a sales role get a SalesForce account.  Only the developer role gets a JIRA account.  And only those accounts that the user has will appear in their SSO dashboard.

So, download the whitepaper and schedule a demonstration to see how you can offer Cloud SSO and provisioning for all of your applications.

EmpowerID is a comprehensive Identity and Access Management (IAM) platform.  It authenticates, authorizes, provisions, federates, resets passwords, audits, attests, and separates duties.  Pretty much soup to nuts Identity Management.

It does all of this for on premise or cloud applications.  Likewise for internal or external identities.  It mixes the two or separates the two.  And it does all of it well, as shown by our over 400 customers using the platform.

But that might not even be the most standout aspect to the platform.  Which is odd because all of the above is what is needed for you to get your job done and keep your identities accurate and secure.

Within the EmpowerID platform is a visual workflow designer.  This designer displays your identity workflows with traditional workflow shapes, decision trees and mimics how you would design it on a whiteboard or on a drafting table.  It allows you to match your identity processes to your business processes, not the other way around.  You simply drag and drop the shapes and the workflow does the work for you.  Each "shape" has an identity action that you can easily configure.  It is simple and easy and immensely powerful.

This is where the title of this blog post comes into play.  Each workflow can be exposed as a web service.  So, from within your application, you can provision a user, set an attribute, reset a password, set a role, authorize a user, or even federate.

This comes into play when you use EmpowerID's metadirectory as your backend identity store for authentication.  You get that full list of functionality with which I opened the blog post (authentication, authorization, RBAC, provisioning, federation, password managemnt, auditing, attestion, separation of duties, soups to nuts).  Without having to build it into your application.

This came up very recently with a customer who was looking for single sign-on into their newly built applications.  As they were talking to several of our SSO competitors, they realized that nobody else had provisioning with SSO.  And they needed this.

This customer had already built the user interface and was planning on using our OAuth server for authentication.  What was missing was that they needed a way to enforce RBAC, to have admins create new users, and to have end users reset their passwords.  Since all EmpowerID workflows are exposed as either a web service or through APIs, this becomes a fairly simple endeavor to build this into their application.

They now have a very robust IAM capability from within their application.  They can manage users, passwords, authentication, and roles from either within their application, the EmpowerID web UI, or the EmpowerID hard client.

One of the key concepts in user provisioning is that not all users are created equal.  An IT admin may need a user account provisioned to JIRA while a sales manager needs a user account provisioned to Microsoft CRM.  All employees get an AD account and Exchange mailbox.  Partners only get a SharePoint profile.  Role based user provisioning solves this.

With EmpowerID's integrated RBAC engine, you have roles assigned either statically or dynamically to each user, most times more than one role.  With a simple role assignment, EmpowerID assigns user accounts to that user and performs the heavy lifting of provisioning them whether on premise or in the cloud.

This video is a very simple demonstration of this process, showing the end result and how we got there.  User account provisioning does not have to be difficult or messy or most importantly manual. 

This was, of course, a very simple example, with only a handful of accounts and a handful of roles.  EmpowerID is installed and managing identities in huge enterprise environments with hundreds of thousands of identities and scores of applications.  Conversely, we have clients with identical problems with a thousand users that EmpowerID solves.

Schedule a demonstration and we will tailor it to your specific use case to see how you can solve the role based user provisioning problem.

Single sign-on (SSO) makes life easier for end users; passwords and user accounts are eliminated and users just log on seamlessly to applications.  The problem is that not all applications are federated so you need one SSO tool that can provide SSO for federated and non-federated applications.  You also need SSO to manage both cloud and on-premise applications.  In other words, you need SSO to be made easier for your end users.

EmpowerID provides this comprehensive view of single sign-on, giving end users an easy, intuitive way to get to all of their applications, whether they are federated or not, on premise or cloud.  Take a look at this demonstration of EmpowerID's intuitive and simple SSO platform for your end users:

If you need SSO for your users, EmpowerID offers the fullest range of single sign-on, provisioning and authorization capabilities around.

You have heard the statistics that over 30% of all help desk calls are password related and that each help desk call costs, on average, around $35.  It is true that the quickest and best way to increase the efficiency of your IT department is to offer self service password management.  Give your users the ability to unlock and reset their own passwords.

Just don't stop at Active Directory.  There are more passwords out there, a lot more.  A study of just web passwords show that users have on average 6.5 passwords to remember for 25 accounts.  Never mind that to get a half password, you have to have a very lax password policy (4 characters, 1 of which must be a fraction!).

So if you can save your company a quadrillion dollars solving your AD password management issues, doesn't it stand to reason that you want to solve ALL the password management issues.  Your users forget them all, might as well have them reset and unlock them all.

Password synchronization goes hand in hand with self service password reset.  The first benefit is that your user's range of passwords is simplified, that number of 6.5 goes down dramatically to as low as 1.  There are times when password complexity rules are mutually exclusive and you will just have to have that accounted for in the password synchronization rules.

The one password most users remember is their AD password because they use it so often.  Make that your catalyst for all password changes.  If that password is changed, have EmpowerID synchronize that password to all of the other applications.  Even if the password is changed natively through CTRL-ALT-DEL, EmpowerID can capture that change and synchronize it to the other apps.

If the user does forget the AD password, offer a variety of ways for the end user to reset the password.  Utilize the tried and true Q&A knowledge based questions, enhance the security a bit by throwing in OATH tokens, and be sure to have a helpdesk only question where the helpdesk can see both the question and answer.

Be sure to lock down the ability for end users to natively change passwords in the applications that you are synchronizing.  EmpowerID will update the application password next time your user changes it but they will be out of synch until then.

If you focus on a solution for only the AD passwords, you are going to drop that 30% down but not all the way to 0%.  To get to 0%, you have to offer self service password reset and password synchronization to stop "ALL THE HELP DESK CALLS!"

Simple attribute sync is not difficult.  Take a key (user's alias or email address or employee ID) and decide which identity store is authoritative and synchronize the attribute(s).  What is difficult is when you have dozens or scores of identity stores.

If you tried to synchronize all of these attributes without a central identity store like a metadirectory, you would end up with a confusing lattice of synchronization scripts that could easily conflict with each other.  I'm not saying it's impossible, it's just impractical.

Having a hub and spoke solution allows you to easily flow attributes from the authoritative source to the metadirectory and back out to the appropriate identity stores.  An example would be that HR is authoritative for a user's title, then empowerID metadirectory would inventory HR, see the change and update the user's "person" account in the metadirectory.  With that change, it will need to be flowed out to the LDAP identity store and Active Directory.

If some rogue admin changes the title in Active Directory using ADUC, empowerID would inventory that change, see that HR is authoritative and roll back the change in AD.  Having the central metadirectory is incredibly powerful for keeping attributes in all identity stores accurate.

But metadirectories are complicated, right?  I saw my first metadirectory in 1999/2000 when Critical Path bought Isocor.  If you asked me that question then, I would have said, "yes, very complicated."  Ask me today and I'll say that even I can manage connectors and attribute flow. 

Consider this:

It is as simple as configuring the arrow to indicate the authoritative source.  It can be authoritative from either identity store (arrow facing one way), last change wins (arrows facing both ways), or don't sync (big red dot).  "Big red dot" is a technical term in the world of UI, trust me.

You have these attribute flow rules for every connected system in the identity ecosystem.  From the example of the hub and spoke diagram above, you would have four attribute flow rules to fill out, with empowerID doing the heavy lifting of schema detection from its connectors.  You just decide what maps and what wins.

This is just for simple attribute flow, sometimes it does get more complicated.  You may need advanced attribute transformations, more than 1 to 1 attribute flow, 1 to many, calculated values.  You may need to extend the attribute flow for complex transformations.  EmpowerID's UI allows you to easily extend the flow with these transformation, some right out of the box (for example first name & last name from HR transforming to an alias like first initial last name {Edward Killeen becoming ekilleen}) and some with custom code.  It is all built into the empowerID platform.

Having a metadirectory in place also extends attribute sync to the cloud.  Many of our customers have 20%+ of their applications in the cloud now.  You need to be able to synchronize these attributes out to the cloud identity stores.  You rarely have access to the backend database or directory, rendering scripts and simple synchronization tools obsolete and ineffective.

EmpowerID's connector framework can map synchronization actions to its API layer, allowing synchronization from the metadirectory to the cloud applications.  With this capability, you now have all of your identity stores synchronized and accurate.  Contact us for a personalized demonstration of empowerID and we can show you how to synchronize attributes and all of the other capabilities of the most complete and flexible IAM platform on the market.

Wouldn't it be magical if a user forgot their Active Directory password, reset it themselves and had that new password synchronized to all of their other accounts?  You know, without calling the help desk?

Think of the productivity gains if that JIRA account they go into every 3 months had the same password as Active Directory as Google Apps as Salesforce as that custom built app that nobody knows who supports?

Currently, we know that over a third of all help desk calls are password related and to properly maintain security, password policies should actually be more stringent.  This would cause that number to go up.  It's not the users' faults, it is human nature to forget even the most important things.  Otherwise grocery lists wouldn't exist and there wouldn't be jokes about husbands forgetting anniversaries.

Since we can't blame the user, let's help them.

Self service password reset is a very basic idea.  If your user doesn't know their password you have to authenticate them with at least one of three things:

• something they know
• something they have
• something they are

The first is knowledge-based, usually a set of answers to pre-set questions.  Making this customizable by role is important; your factory floor worker may not need the stringent set of questions that your CFO needs.  It is sort of like making the punishment fit the crime, the more access that the user has, the more important it is to determine their identity.

The second factor is usually a phone or smart card.  This one isn't as common as it should be.  As in the first factor, you can customize this by role, take advantage of the fact that your executive users all have smartphones, send an OATH token to confirm that they have what they say they have.  It adds a LOT of security and only a small additional commitment from the user.

The third factor is usually biometrics.  This step is often taken for extremely highly sensitive accounts.  If you have the need to roll this out, your users know what they are dealing with.

EmpowerID Password Manager can handle all of these factors and the customization needed to make it work.  Its powerful workflow engine makes it easy to branch out different password reset paths based on role or group membership or any other determining factor.

And EmpowerID also synchronizes this new password with all of the other systems connected to its metadirectory.  Reset you Active Directory password and simultaneously reset your Lotus Notes password.  Give your users one password at a time to forget.

Importantly, users are going to reset their password the old fashioned way with CTRL-ALT-DELETE.  EmpowerID has a DC filter that will catch these password changes and run them through the same password synchronization workflow described above, keeping your users with just that single password.

By having tools to help your users, you can put password policies in place that help security, making them change every 30-45 days, knowing that you won't get as many complaints since it's a single password still.  Something that even your most vocal users should get behind.

EmpowerID makes all of this possible in a very powerful yet easy to manage application.  It has at its core a full Identity & Access Management platform broken out by modules for functionality.  Having the metadirectory, RBAC engine and workflow studio built into the base platform and available for every module gives the flexibility to have these advanced password functions without having to buy the entire IAM suite.  See it for yourself, schedule a demonstration by clicking the button below!

I'm on the phone all day every day with clients who are either manually provisioning users or cobbling together scripts with bandaids, duct tape and chewing gum to get their user provisioning automated.  If you don't have it fully automated yet, you are not the lone ranger.

That does not mean that you shouldn't, obviously.  User provisioning should be automated, it should incorporate all of your applications (cloud and on premise) and it should tie into your access governance as well.

Let's start with the first part: automating your user provisioning process.  This is basic identity management workflow.  In the case of EmpowerID, it is VISUAL identity management workflow, meaning that the workflow is designed and configured in an easy to manage and visualize visual business process management layout. 

When you are sitting in a conference room designing the provisioning process, you are most likely at the whiteboard drawing rectangles and arrows and directories.  That should translate directly to the identity process workflow in EmpowerID, allowing your business needs to dictate your identity policy instead of your identity software dictating your business.

The identity management system will have connectors to all of your applications and identity stores.  Usually, HR is your authoritative system of record; EmpowerID will inventory HR for hired or fired employee records and initiate the onboarding and offboarding workflows.  The user account will be created in the metadirectory and based on the rules and policies in EmpowerID, will initiate workflows to all of the other affected systems and applications that this user should access.

The metadirectory sits in the middle and keeps a centralized record of all of the user's accounts and access.  This "person record" gives a whole view of the user and allows for auditing, constant updates to attributes and resultant access (whether it be roles or group membership or application access).  This makes auditing easy, makes it possible to see changes that happened outside of the system (through native access), and allows for attestation and separation of duties policies.

Those internal users aren't all of your users though.  You have partners, customers, dealers, contractors and a host of other external users.  The old "keep them in AD" practice won't work, there is too much risk there.  EmpowerID's metadirectory and workflows give you the ability to keep user accounts in the same system, design similar workflows and manage rights and access in a much more secure manner.  You can even have anonymous workflows to allow external users to create an account with limited access and send requests to internal users to grant additional access.

And, to just what applications are you provisioning users nowadays?  Certainly more than you were five years ago.  You have cloud applications, AS400 applications, web applications, and the usual suspects of AD and Exchange.  You need a modern IAM provisioning software (like EmpowerID) that can handle provisioning to all of these applications.  EmpowerID has direct connectors to most major applications and the ability to map APIs to workflow shapes for ones that we don't.  Most importantly, by having a framework to quickly deploy and manage connectors, EmpowerID can connect to almost anything, keeping user accounts current and secure.

The third part that is important is to integrate with all other aspects of Identity and Access Management (IAM).  Most legacy applications (I'm looking at IBM and CA and Microsoft and Quest here) are the result of myriad acquisitions and mergers and the products are put together in a way that not all modules work together.  EmpowerID is built from the ground up on a single code base and the platform shares common components like the metadirectory and RBAC engine and workflow studio. 

So, if you are provisioning to the cloud, you can create role based provisioning so only salespeople get a CRM account and they are automatically federated for single sign on and application roles.  When you reset your password in AD, it flows and resets passwords in all applcations.  If your user is promoted, this reflects throughout their identity, changing application access and roles within the application.  If a user attempts to access a highly secure folder, a second factor authentication can be launched to ensure they are who they say they are (and have what they are supposed to have). 

It needs to be a full identity ecosystem.

So, automate your user provisioning process but do it with an identity ecosystem that covers all of your identity needs.  Even if you don't deploy all of it right away, have a platform that can handle all of your identity needs.

Looking at the title of this blog post, you would think, "that's crazy, there are no roles in SharePoint!"  Microsoft liberally uses SharePoint groups to mean roles in their documentation, but these groups aren't useful in any RBAC manner beyond SharePoint.  SharePoint can also utilize Active Directory security groups, but there is a downside to this with token bloat and the accidental mixing of permissions between SharePoint and AD (add a user to a group to grant access to a SharePoint site accidentally gives them access to the deepest darkest secrets in accounting).

Groups are not roles.  Especially when they are static by nature.  Over 85% of organizations manage groups manually, you can never really be certain that the correct users are in the correct groups if that is the case.  You need your roles to be dynamic and rule-based.  You need your RBAC to be augmented by ABAC for on the fly fine grained permissions.

So, how do you do this in SharePoint?  By setting EmpowerID as your claims provider. SharePoint Claims providers add claims to the security tokens of users when configuring permissions on secure objects like lists, sites, items, and documents.

This gives you the ability to expose your roles in the People Picker to find and select people, groups, and claims when a site, list, or library owner assigns permissions in Microsoft SharePoint Server 2010. When claims-based authentication is used, the People Picker allows end-users to search and select claims for permissions assignments from a custom Claim Provider or Claims Augmentation provider just as they would normally search for users or groups. Typically a Claims Provider would support more flexible role-based assignments or dynamic fine-grained authorization assignments to increase the flexibility and security of the SharePoint permissions system.

In EmpowerID's RBAC engine, roles are assigned dynamically, either by set groups or a role structure (location/department, etc).  The role structure is polyarchical and is generated based on your applications and corporate structure.  Powerful RBAC policies leverage EmpowerID’s multi-tiered model to pre-calculate access to all known enterprise applications and resources based on an organization’s structure, a person’s job function, and all directly assigned access. These rules allow information from authoritative systems to drive changes in application access and provisioning policies.

What you end up with are roles that can be applied to any application, access or provisioning policy.  The role membership is updated dynamically based on changes in identity information from any connected identity store (HR, customer database, Active Directory) and inventoried as often as every couple of minutes.  And, very importantly, used to manage SharePoint permissions without having end users have to manually update AD or SharePoint groups. 

Think about that, SharePoint permissions that stay accurate without you having to manage it!

These permissions can be assigned as Administrator, Contributor, Reader or any level of access within SharePoint.  When the user signs in, the EmpowerID claims provider will pass along a claim with all of the user's permissions within SharePoint.  You can even use EmpowerID for SharePoint single sign-on for external or internal users.  The same process applies and you won't have to give an AD account to the external user.

Make SharePoint work by managing SharePoint roles dynamically.  If you want a demo, we would be happy to show you how this works by clicking here.  Or click the button below for a whitepaper on our method of managing permissions with an RBAC / ABAC hybrid.