All-In-One Identity Management and Cloud Security

Today, The Dot Net Factory releases EmpowerID 2013 for general availability. Building on its industry leading visual workflow platform, EmpowerID expands Identity & Access Management (IAM) to manage the two hottest trends in the market: mobility and single sign-on.

EmpowerID is innovating with the changes in today’s business climate. More users are using mobile devices, requiring more flexible and secure authentication, and demanding a single username and password. Users no longer means just your employees, you need a way to manage the identities and login experience for customers, partners and other external users. EmpowerID 2013 provides new exciting features to match these changing needs.

New in EmpowerID 2013

• Web Access Management (WAM) to complement Federated SSO
• Virtual directory LDAP server built on Node.js
• HTML5 interface for a complete mobile experience
• Forced device registration for strong authentication
• OATH compliant server for software and hardware Time Based One Time Passwords (for web login, RADIUS login, LDAP and others)
• Full smart card login support
• FIPS compliance

The balance between security and productivity is a challenge for all businesses, EmpowerID provides a critical fulcrum by getting your users the correct access exactly when they need it. From authentication to authorization to actually getting work done, your users need to have the correct permissions, have access to the correct systems, and know how to manage this access. EmpowerID is the only Identity Management platform that maps these needs to your business processes.

These new features give more flexibility in how to manage users identities and how the users can access resources. Coupled with EmpowerID’s already existing extensive collection of identity workflows, full rights based access control, and metadirectory, these new features will allow companies to keep up with the needs of their employees.

Life would be a lot easier if we only had to manage our employees' identities.  But we have customers, partners, and contractors.  These external identities have the same needs for identity management as our internal identities.  In fact, they might have more needs as we know a lot less about them.

The most common scenario that we see is when a customer (the external user) registers for services with our client.  The needs are very simple: self-registration, role based access control, approval workflows, and federated single sign-on (SSO).  I'm kidding, that's not simple.

Let's start with the self-registration.  When your external user first finds your site, you will want their registration to be simple, giving them immediate access to the most public facing resources.  EmpowerID's built in forms designer allows you to have them fill out the important information and create an account in the metadirectory. 

The RBAC engine will give them the most basic of permissions at the same time that it either kicks off an approval workflow to grant more permissions or inventories another identity store (CRM for example) to determine their role and give higher privileges.

So, now you know who they are and can design some provisioning rules for other applications.  With the roles in place, you know that customers that meet certain criteria get access to different applications and resources.  Role based provisioning will automatically create accounts in these applications.

Permissions are managed with these roles too.  Polyarchical roles allow you to protect resources at a very granular level without having to create a role for every single type of external user.

Now we get to the heart of the matter, you know who your external users are, what their roles are and what access you give each role.  Now your users need to access these resources and applications.

Enter single sign-on (SSO).  You have provisioned a user account in the EmpowerID metadirectory.  This metadirectory can act as an identity provider or service provider, meaning that you can authenticate with EmpowerID and federate out to other applications or you can authenticate with other credentials, federate with EmpowerID and then with your other applications.

EmpowerID as an identity provider is incredibly powerful, it is also a Secure Token Service, allowing it to send tokens to the federated applications and giving users immediate access based on their role.  EmpowerID supports federation with SAML, OpenID, OAuth, WS-Trust and WS-Federation.

For applications that aren't federated, EmpowerID can also perform Web Access Management (WAM), sending user credentials securely and giving the same end user experience.

On the flip side, you can also federate with other identity providers such as Facebook or Twitter, giving users the ability to authenticate with credentials they use every day.  EmpowerID is still in the middle and provides role based access to the connected applications.

EmpowerID is one of the only IAM solutions on the market that manages external users' provisioning, authentication and authorization.  EmpowerID supports anonymous provisioning, allowing users to register for the services and be given a baseline of permissions.  EmpowerID can federate with Facebook, Twitter, etc. to authenticat, claim accounts in other applications and manage any attributes.

EmpowerID can then perfrom two factor authentication, device registration or identity proffing to further confirm the user's identity.  This seamless HTML5 interface works on any device allowing mobile usage and a better overall user experience.

Schedule a demonstration and see how you can manage your external identities, giving them more secure and easy access to your resources.

Andras Cser of Forrester writes that XACML is Dead.  The first analyst question I was asked as head of marketing at EmpowerID was, "do you support XACML?"  The easy answer was (and is), "we will when application vendors do."  Andras' first point as the cause of the death of XACML: "Lack of broad adoption."

Andras' second point is the one that really gets to the technical heart of the matter rather than the logistical: XACMML's "inability to serve the federated, extended enterprise."  Identity and Access Management (IAM) has moved way beyond the borders of an Active Directory forest.  Organizations are managing their internal users, partners, customers, and contractors and need a flexible authentication and authorization system that can accomodate the unique needs of each constituency.

Additionally, the applications they are accessing are growing more varied and widespread.  You have legacy applications, cloud applications, web applications, and mobile applications.  Organizations demand an IAM platform that can authenticate and authorize not against the ones that support a specific standard, but all of them.

So, while some analysts have been trumpeting loudly that XACML is going to make authorization easy and standards based, the market and forward thinking analysts like Andras have realized that IAM in today's world is too complicated for it.

Unfortunately, this leaves us at the question: how the heck do we manage authorization in this new complicated world?  We believe that EmpowerID has hit on the best way to manage it, by integrating roles into every single aspect of IAM from provisioning to authentication to password reset to SSO.  Making your roles pervasive in all aspects of IAM gives you flexibility on the who has access to what and when question.

EmpowerID's role engine was designed as part of a purpose-built single codebase IAM platform; roles fit in as an integral part of each IAM function.  Our polyarchical role structure is flexible and intuitive, allowing organizations a tremendous amount of flexibility in how they apply permissions and authorization.

When roles are too static, we combine ABAC with RBAC to give runtime decisions based on attributes in any connected system, giving even more flexibility.

EmpowerID includes an advanced authorization policy engine that allows organizations to define a user’s access to a diverse set of corporate and cloud-hosted resources via flexible RBAC and ABAC rules. This “resultant access” information is then either consumed or “pulled” by systems that support leveraging an external authorization engine to make access decisions or “pushed” down onto systems that don’t.

Read more about EmpowerID's authorization engine, schedule a demo, or request a whitepaper on Best Practices in Enterprise Authorization.  XACML isn't walking through that door ready to save enterprise authorization, take a look at a solution that will.

Cloud SSO is essential for productivity in your organization.  In fact, it also reduces help desk costs and can improve security.  Users can log into applications faster and with fewer obstacles.  No more lost passwords equals fewer help desk calls.  And, for the first time ever, IT has a better understanding of all of the cloud applications and user accounts in their identity ecosystem.

Here is the rub: you cannot federate with all applications.  It would be wonderful if SAML, OpenID, OAuth, et cetera were ubiquitous and you would have quick and easy federation with all of them.  In fact, we have a whitepaper on the Top 5 Federated SSO scenarios for those applications that do support federation.

So, what do you do if it doesn't support federation?  EmpowerID and its webform SSO.  What this does for you is to allow your users to claim accounts, enter their credentials and then future logins are completely single sign-on.  In fact, the user experience is exactly the same for both types of SSO, giving an even simpler user experience for your users.

Here is a demonstration of that user experience:

Now that you have your users single signing on to ALL of their applications, you get into some of the more exciting aspects of Identity and Access Management.  The same platform (EmpowerID) that is providing SSO also provisions users into these cloud applications.  Even going so far as being role based cloud provisioning.  So, only users in a sales role get a SalesForce account.  Only the developer role gets a JIRA account.  And only those accounts that the user has will appear in their SSO dashboard.

So, download the whitepaper and schedule a demonstration to see how you can offer Cloud SSO and provisioning for all of your applications.

EmpowerID is a comprehensive Identity and Access Management (IAM) platform.  It authenticates, authorizes, provisions, federates, resets passwords, audits, attests, and separates duties.  Pretty much soup to nuts Identity Management.

It does all of this for on premise or cloud applications.  Likewise for internal or external identities.  It mixes the two or separates the two.  And it does all of it well, as shown by our over 400 customers using the platform.

But that might not even be the most standout aspect to the platform.  Which is odd because all of the above is what is needed for you to get your job done and keep your identities accurate and secure.

Within the EmpowerID platform is a visual workflow designer.  This designer displays your identity workflows with traditional workflow shapes, decision trees and mimics how you would design it on a whiteboard or on a drafting table.  It allows you to match your identity processes to your business processes, not the other way around.  You simply drag and drop the shapes and the workflow does the work for you.  Each "shape" has an identity action that you can easily configure.  It is simple and easy and immensely powerful.

This is where the title of this blog post comes into play.  Each workflow can be exposed as a web service.  So, from within your application, you can provision a user, set an attribute, reset a password, set a role, authorize a user, or even federate.

This comes into play when you use EmpowerID's metadirectory as your backend identity store for authentication.  You get that full list of functionality with which I opened the blog post (authentication, authorization, RBAC, provisioning, federation, password managemnt, auditing, attestion, separation of duties, soups to nuts).  Without having to build it into your application.

This came up very recently with a customer who was looking for single sign-on into their newly built applications.  As they were talking to several of our SSO competitors, they realized that nobody else had provisioning with SSO.  And they needed this.

This customer had already built the user interface and was planning on using our OAuth server for authentication.  What was missing was that they needed a way to enforce RBAC, to have admins create new users, and to have end users reset their passwords.  Since all EmpowerID workflows are exposed as either a web service or through APIs, this becomes a fairly simple endeavor to build this into their application.

They now have a very robust IAM capability from within their application.  They can manage users, passwords, authentication, and roles from either within their application, the EmpowerID web UI, or the EmpowerID hard client.

One of the key concepts in user provisioning is that not all users are created equal.  An IT admin may need a user account provisioned to JIRA while a sales manager needs a user account provisioned to Microsoft CRM.  All employees get an AD account and Exchange mailbox.  Partners only get a SharePoint profile.  Role based user provisioning solves this.

With EmpowerID's integrated RBAC engine, you have roles assigned either statically or dynamically to each user, most times more than one role.  With a simple role assignment, EmpowerID assigns user accounts to that user and performs the heavy lifting of provisioning them whether on premise or in the cloud.

This video is a very simple demonstration of this process, showing the end result and how we got there.  User account provisioning does not have to be difficult or messy or most importantly manual. 

This was, of course, a very simple example, with only a handful of accounts and a handful of roles.  EmpowerID is installed and managing identities in huge enterprise environments with hundreds of thousands of identities and scores of applications.  Conversely, we have clients with identical problems with a thousand users that EmpowerID solves.

Schedule a demonstration and we will tailor it to your specific use case to see how you can solve the role based user provisioning problem.

Single sign-on (SSO) makes life easier for end users; passwords and user accounts are eliminated and users just log on seamlessly to applications.  The problem is that not all applications are federated so you need one SSO tool that can provide SSO for federated and non-federated applications.  You also need SSO to manage both cloud and on-premise applications.  In other words, you need SSO to be made easier for your end users.

EmpowerID provides this comprehensive view of single sign-on, giving end users an easy, intuitive way to get to all of their applications, whether they are federated or not, on premise or cloud.  Take a look at this demonstration of EmpowerID's intuitive and simple SSO platform for your end users:

If you need SSO for your users, EmpowerID offers the fullest range of single sign-on, provisioning and authorization capabilities around.

You have heard the statistics that over 30% of all help desk calls are password related and that each help desk call costs, on average, around $35.  It is true that the quickest and best way to increase the efficiency of your IT department is to offer self service password management.  Give your users the ability to unlock and reset their own passwords.

Just don't stop at Active Directory.  There are more passwords out there, a lot more.  A study of just web passwords show that users have on average 6.5 passwords to remember for 25 accounts.  Never mind that to get a half password, you have to have a very lax password policy (4 characters, 1 of which must be a fraction!).

So if you can save your company a quadrillion dollars solving your AD password management issues, doesn't it stand to reason that you want to solve ALL the password management issues.  Your users forget them all, might as well have them reset and unlock them all.

Password synchronization goes hand in hand with self service password reset.  The first benefit is that your user's range of passwords is simplified, that number of 6.5 goes down dramatically to as low as 1.  There are times when password complexity rules are mutually exclusive and you will just have to have that accounted for in the password synchronization rules.

The one password most users remember is their AD password because they use it so often.  Make that your catalyst for all password changes.  If that password is changed, have EmpowerID synchronize that password to all of the other applications.  Even if the password is changed natively through CTRL-ALT-DEL, EmpowerID can capture that change and synchronize it to the other apps.

If the user does forget the AD password, offer a variety of ways for the end user to reset the password.  Utilize the tried and true Q&A knowledge based questions, enhance the security a bit by throwing in OATH tokens, and be sure to have a helpdesk only question where the helpdesk can see both the question and answer.

Be sure to lock down the ability for end users to natively change passwords in the applications that you are synchronizing.  EmpowerID will update the application password next time your user changes it but they will be out of synch until then.

If you focus on a solution for only the AD passwords, you are going to drop that 30% down but not all the way to 0%.  To get to 0%, you have to offer self service password reset and password synchronization to stop "ALL THE HELP DESK CALLS!"

Simple attribute sync is not difficult.  Take a key (user's alias or email address or employee ID) and decide which identity store is authoritative and synchronize the attribute(s).  What is difficult is when you have dozens or scores of identity stores.

If you tried to synchronize all of these attributes without a central identity store like a metadirectory, you would end up with a confusing lattice of synchronization scripts that could easily conflict with each other.  I'm not saying it's impossible, it's just impractical.

Having a hub and spoke solution allows you to easily flow attributes from the authoritative source to the metadirectory and back out to the appropriate identity stores.  An example would be that HR is authoritative for a user's title, then empowerID metadirectory would inventory HR, see the change and update the user's "person" account in the metadirectory.  With that change, it will need to be flowed out to the LDAP identity store and Active Directory.

If some rogue admin changes the title in Active Directory using ADUC, empowerID would inventory that change, see that HR is authoritative and roll back the change in AD.  Having the central metadirectory is incredibly powerful for keeping attributes in all identity stores accurate.

But metadirectories are complicated, right?  I saw my first metadirectory in 1999/2000 when Critical Path bought Isocor.  If you asked me that question then, I would have said, "yes, very complicated."  Ask me today and I'll say that even I can manage connectors and attribute flow. 

Consider this:

It is as simple as configuring the arrow to indicate the authoritative source.  It can be authoritative from either identity store (arrow facing one way), last change wins (arrows facing both ways), or don't sync (big red dot).  "Big red dot" is a technical term in the world of UI, trust me.

You have these attribute flow rules for every connected system in the identity ecosystem.  From the example of the hub and spoke diagram above, you would have four attribute flow rules to fill out, with empowerID doing the heavy lifting of schema detection from its connectors.  You just decide what maps and what wins.

This is just for simple attribute flow, sometimes it does get more complicated.  You may need advanced attribute transformations, more than 1 to 1 attribute flow, 1 to many, calculated values.  You may need to extend the attribute flow for complex transformations.  EmpowerID's UI allows you to easily extend the flow with these transformation, some right out of the box (for example first name & last name from HR transforming to an alias like first initial last name {Edward Killeen becoming ekilleen}) and some with custom code.  It is all built into the empowerID platform.

Having a metadirectory in place also extends attribute sync to the cloud.  Many of our customers have 20%+ of their applications in the cloud now.  You need to be able to synchronize these attributes out to the cloud identity stores.  You rarely have access to the backend database or directory, rendering scripts and simple synchronization tools obsolete and ineffective.

EmpowerID's connector framework can map synchronization actions to its API layer, allowing synchronization from the metadirectory to the cloud applications.  With this capability, you now have all of your identity stores synchronized and accurate.  Contact us for a personalized demonstration of empowerID and we can show you how to synchronize attributes and all of the other capabilities of the most complete and flexible IAM platform on the market.

Wouldn't it be magical if a user forgot their Active Directory password, reset it themselves and had that new password synchronized to all of their other accounts?  You know, without calling the help desk?

Think of the productivity gains if that JIRA account they go into every 3 months had the same password as Active Directory as Google Apps as Salesforce as that custom built app that nobody knows who supports?

Currently, we know that over a third of all help desk calls are password related and to properly maintain security, password policies should actually be more stringent.  This would cause that number to go up.  It's not the users' faults, it is human nature to forget even the most important things.  Otherwise grocery lists wouldn't exist and there wouldn't be jokes about husbands forgetting anniversaries.

Since we can't blame the user, let's help them.

Self service password reset is a very basic idea.  If your user doesn't know their password you have to authenticate them with at least one of three things:

• something they know
• something they have
• something they are

The first is knowledge-based, usually a set of answers to pre-set questions.  Making this customizable by role is important; your factory floor worker may not need the stringent set of questions that your CFO needs.  It is sort of like making the punishment fit the crime, the more access that the user has, the more important it is to determine their identity.

The second factor is usually a phone or smart card.  This one isn't as common as it should be.  As in the first factor, you can customize this by role, take advantage of the fact that your executive users all have smartphones, send an OATH token to confirm that they have what they say they have.  It adds a LOT of security and only a small additional commitment from the user.

The third factor is usually biometrics.  This step is often taken for extremely highly sensitive accounts.  If you have the need to roll this out, your users know what they are dealing with.

EmpowerID Password Manager can handle all of these factors and the customization needed to make it work.  Its powerful workflow engine makes it easy to branch out different password reset paths based on role or group membership or any other determining factor.

And EmpowerID also synchronizes this new password with all of the other systems connected to its metadirectory.  Reset you Active Directory password and simultaneously reset your Lotus Notes password.  Give your users one password at a time to forget.

Importantly, users are going to reset their password the old fashioned way with CTRL-ALT-DELETE.  EmpowerID has a DC filter that will catch these password changes and run them through the same password synchronization workflow described above, keeping your users with just that single password.

By having tools to help your users, you can put password policies in place that help security, making them change every 30-45 days, knowing that you won't get as many complaints since it's a single password still.  Something that even your most vocal users should get behind.

EmpowerID makes all of this possible in a very powerful yet easy to manage application.  It has at its core a full Identity & Access Management platform broken out by modules for functionality.  Having the metadirectory, RBAC engine and workflow studio built into the base platform and available for every module gives the flexibility to have these advanced password functions without having to buy the entire IAM suite.  See it for yourself, schedule a demonstration by clicking the button below!