Encryption of IAM Data

Posted by Chris Hayes on Thu, Dec 17, 2015

Screen_Shot_12-16-15_at_02.32_PM.png

2015 was a rough year for Identity and Access Management news.  Digital toymaker VTech lost 6.4 million children's names, birthdates, parents' email, mailing addresses and more.  Ashley Madison's data was exposed including email addresses, chat message data and more.  AT&T just agreed to pay $25 million as a result of 275,000 exposed customer names and other information.  Customer and employee identity data is extremely valuable.

Here at EmpowerID we've been working diligently to support an easy to use method of encryption for data stored in our Identity Warehouse.  We are now excited to fully support encryption of all data we inventory and store.  This means if someone gets access to data files on a server or to backups, your data is still protected!

By encrypting data at rest we can now prevent malicious parties from getting the database files and restoring them onto a system and browsing personally identifiable information (PII).  Identity data is encrypted using AES256 which also ensures compliance with many laws, regulations, and guidelines in different industries.

Below, encryption hierarchy with dotted lines representing the encryption used by TDE, courtesy of Microsoft

IC51741.gif

 

Supporting real-time I/O encryption of the EmpowerID 2016 Identity Warehouse means that the data is encrypted before even being written to disk and only decrypted when read into memory.  Verification is easy enough once the process is complete

 Below we can easily verify that the encryption process is complete.

Screen_Shot_12-17-15_at_05.46_PM.png

Once encryption is complete you can look through backups to verify the data is encrypted.  Below on the left you can easily see unencrypted data containing PII, following encryption you can see a backup of the same database is now fully encrypted and unreadable.

Screen_Shot_12-17-15_at_05.28_PM.png

If someone were able to get the Identity Warehouse database they would be unable to load it up to recover the data as you can see below.

3E50DC91.png

So make 2016 the year you commit to encrypting employee and consumer data and the year you lower your exposure to data leaks!  Give us a call or click the link below for a quick demo of the EmpowerID difference.

Request a Demo

Enterprise IAM Controls for Resources in Amazon Web Services

Posted by Chris Hayes on Mon, Oct 19, 2015

Deploying servers out in AWS is great for a number of reasons; saving money, elastic capacity, increased speed.  There is a host of reasons that we won't even get into here.  One of the most important aspects of utilizing AWS is remembering the "Shared Responsibility Model" which basically says that you, the customer, are their partner when it comes to security and access controls for resources hosted in AWS.  

Amazon goes on to state that, "While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter."

 

shared_responsibility

All of that basically boils down to the cold, hard fact that you, the Amazon customer, need a comprehensive Identity and Access Management tool deployed to secure your resources in AWS.  EmpowerID customers have asked for a better solution for this emerging paradigm and our development team has delivered in the form of our EmpowerID AWS Manager.

aws-diagram

Built from the ground up to deliver functionality not typically seen in an Identity and Access Management suite, our team has packed the AWS Manager with a lot of functionality.  Securing and managing RDP access, setting server uptime policies, even having the ability to directly start and stop servers in AWS directly from a dashboard ensures that you have total command over all aspects of your AWS environment.

Also included in the AWS Manager from EmpowerID is the ability to publish into our award winning IT Shop.  Business users can now find and request access to these resources.  Once requested, EmpowerID will send that request to an access owner who can approve it or reject it, and the user will be notified of the results!

Screen_Shot_10-16-15_at_09.20_AM

 

The EmpowerID team is very excited about this new offering and will be hosting a webinar on October 29th at 1:00 pm Eastern, please follow the link and register today.

Topics will include:

  • Managing RDP access with enterprise policies
  • Managing uptime policies and time constraints for Servers hosted in AWS
  • Managing Privileged Vaulted Credentials
  • Reviewing Audit Logs

Give us a call or click the link below for a quick demo of the EmpowerID difference.

Request a Demo

Adding Intelligence to Active Directory with an Identity Warehouse

Posted by Chris Hayes on Wed, Sep 30, 2015

According to Microsoft, Active Directory™ service provides user and computer accounts and distribution and security groups.  This service is essential when trying to allow people to log into Microsoft Windows Workstations and running things like Group Policy's, publishing printers and providing DNS/DHCP services.

In a simple world, an architecture like this can sometimes suffice.

Active-Directory

Where Active Directory comes up short is when you are trying to manage a global distribution of different domains.  Or trying to create an automated process that will create mailboxes in Office 365, automatically add someone to a group when their identity is created or they move to a different office.  When you want to assign an access owner to a file share and have all request for access to that share filter up to that person rather than have everyone call the helpdesk.

These are the reasons the EmpowerID Identity Warehouse was created.  We recognized the need for fine grained authorization and approval workflows and included them.  We knew the Identity Warehouse needed comprehensive RBAC and ABAC capabilities along with delegations and location awareness so we added that in too.

In a more complex world you need an Identity Warehouse

Screen_Shot_09-30-15_at_09.44_AM

Only with an Identity Warehouse can you automate tasks like:

  • Create an Active Directory account based upon a new record in something like UltiPro, SAP or PeopleSoft
  • Assign group membership based upon a Role, Attribute or Location
  • Assign business users as "Access Owners" or gatekeepers for file shares, SharePoint sites and more.
  • Create and perform Audits, Certifications and Attestations
  • Provide fine grained authorization at an API level for other applications and services
  • Allow for self-registration of an account for your consumers and business partners
  • Create and publish any other type of workflow

The EmpowerID Identity Warehouse contains important entitlement and authorization data for your organization.  This information is updated regularly from other databases and data stores and you get to decide how each attribute flows.  The Identity Warehouse also contains all of the statistical and analytical tools required to give you an up to date view related to risk, governance and compliance.

Screen_Shot_09-30-15_at_10.16_AM

Here are a few more examples of how you can use the EmpowerID Identity Warehouse:

 

The EmpowerID Identity Warehouse plays a critical role in your fast growing infrastructure.  Ensuring that the security controls you need in place strictly follow the business rules is really what it's all about.  We like to think of Active Directory as the motor and EmpowerID as the powertrain control module, taking in all of the sensor data and determining the exact air/fuel mixtures to ensure everything runs correctly.  It's this same concept between the Identity Warehouse and Active Directory, we monitor everything and determine just what needs to be done at the lower level of Active Directory.

Want to find out more, click through and request a quick demo.

Request a Demo



 

Introducing an Enterprise Toolset to Manage Amazon's Simple AD

Posted by Chris Hayes on Mon, Sep 14, 2015
Screen_Shot_09-14-15_at_08.34_AM

Ready for another directory store?

EmpowerID is excited to announce new capabilities for managing identities and groups in Amazon's Simple AD!  This off premise directory from Amazon can be managed using the EmpowerID robust connector framework with features like:

  • Scheduled inventory to see what is out in Amazon's Simple AD
  • Automated User Account Provisioning using EmpowerID RBAC and ABAC rules
  • Full Audit control
  • Full Attestation and Certification
  • Ties into our unique AWS Server management capabilities

Let's take a deeper dive into the solution and see what accounts are out in our Amazon Simple AD tenant

Screen_Shot_09-14-15_at_08.09_AM

Found the account we want to work on?  Let's dive a little deeper and add them into a group up in AWS

Screen_Shot_09-14-15_at_10.20_AMLet's review the group changes for the user below

Screen_Shot_09-14-15_at_10.25_AM

 

And since we are talking Enterprise Controls, let's track down that change.  Who did it, when did it happen and what changed

Screen_Shot_09-14-15_at_10.31_AM_001

 

As you can see, EmpowerID continues to lead the IAM marketplace with innovative features not found anywhere else.  When it comes to identities, roles and groups in Active Directory, SQL, Amazon AWS, Azure or anything else we have the right tools for the job.

Contact us today for a discussion on how we can help you manage identities in Amazon's Simple AD or anywhere else.

Request a Demo

 

 

The Most Important Question in Enterprise Authentication, Could You Answer it?

Posted by Chris Hayes on Wed, Aug 26, 2015

Screen_Shot_2015-08-26_at_7.06.44_AM

Application Access:  It's easy to provision using the standards and tools today.  Cookies, Headers, SAML, Kerberos, WS-Federation and OpenID, the tools are there and easier than ever to configure.  Salesforce.com, Office 365, SharePoint, Box and more your users are getting into these applications without logging in multiple times (we hope, if not check out EmpowerID SSO).  For many organizations this is how the story goes.

  • User A needs access to Application B
  • User logs into a webserver with a credential
  • Webserver validates that credential
  • Webserver redirects User A to Application B
  • User A is in Application B
  • End of story
Yea, basic SSO portal right there

Yes, this is the basics of authentication, an SSO portal

But intelligent organizations should ask themselves questions like:

  • How long should User A have access to that application?
  • Who should authorize that User A should even have access to Application B?
  • How often should we review that User A should still have access to Application B?

Why are these important questions?  In IT we just know that access should be given or taken away.  We typically don't get involved in trying to answer a question like why should someone have access.  It's for this reason that many environments have layers and layers of access that's been granted, like a sediment layer, access has been given and never removed.  Nobody has ever bothered to ask the question why does this user have access to this application.

Enter the most important question in authentication today.  Why does a user have access to an application?  If we can answer that question than the other related questions fall into place, who gave them access and how long should that access last.  Before you start breaking out excel spreadsheets and walking the floors asking this question, let us propose a different route called automated attestation and certification.

EmpowerID ships with attestation, audit capabilities that slice and dice these tasks and automatically send them out to managers.  EmpowerID allows audit officers to choose what they want to certify allowing them to choose things like:

  • Groups
  • Applications
  • SharePoint sites
  • Files shares
  • And more

Once an auditor sets a date for the audit to be complete EmpowerID will automatically generate tasks for managers who can comment and certify as they see fit.

Screen_Shot_2015-08-26_at_7.27.53_AM

Audit owners can go in and review progress on the certification at any time to ensure you are on track.  

Screen_Shot_2015-08-26_at_7.35.29_AM

EmpowerID Attestation and Certification audits are all kept historically too so no matter when that question comes up you can always go back and see who certified the access and for what reason the access was granted.  Best of all, when that manager certifies that access EmpowerID allows the manager to specify how long that access should be valid for.  So short-term employee and vendor access just got that much easier to manage!

If you would like to discuss Attestation and Certification in more detail please click the link below and we will reach out.

Request a Demo

FIM vs EmpowerID - Building Identity Bridges That Scale

Posted by Chris Hayes on Mon, Aug 03, 2015

Microsoft FIM/Identity Manager is one of those tools that many organizations start out with when dealing with identity synchronization projects.  Testing the waters many times it's setup to flow identities and attributes to and from an HR database or even another Active Directory Forest.  When dealing with a few identities it works well enough but start asking it to deal with 10's of thousands of identities and millions of attribute changes and you had better clear your calendar for the rest of the week.

bridge01

The problem many start to recognize is that the FIM sync engine is like a single lane bridge between identity stores.  Works great when you are servicing a very small town but when you are trying to service a busy city things will start backing up quickly.  The result of this architectural limitation of FIM can cause sync jobs can run days, even a week and in today's instant on/instant off world this can create serious issues.  When you disable an account in your directory store, expectations are that the change will be reflected in other directories pretty quickly, not in a week.

baybridge2.0831

 

EmpowerID was built from the ground up to be truly scalable, each lane can be another EmpowerID server checking in to help process sync jobs to other identity stores.  Our distributable and scalable multi-instance sync engine is capable of handling the largest and most demanding environments with billions of objects being handled on time, every time.

The EmpowerID Inventory and Sync engines manage data housed in the Metadirectory allowing you to determine attribute flow between connected systems following these flow rules which you can configure for each account store we connect to.

  • No Sync: When this option is selected, no information flows between EmpowerID and the native system.
  • Bidirectional Flow: When this option is selected, changes made within EmpowerID update the native system and vice-versa.
  • Account Store Changes Only: When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
  • EmpowerID Changes Only: When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.

EmpowerID has created the best sync engine in the world giving you fine grained control over all aspects identity, group, role and attribute synchronization.  Give us a call or click the link below for a quick demo of the EmpowerID difference.

Request a Demo

EmpowerID Inserts Intelligence into 2013 SharePoint People Picker

Posted by Chris Hayes on Wed, Jun 24, 2015

EID SP

The SharePoint 2013 People Picker is the tool you use to find and select users, groups and claims to grant someone a permission to a site in SharePoint.  The SharePoint 2013 People Picker is heavily dependent on how authentication is configured for your site so you need to ensure your SAML or claim provider is intelligent.

Don't let this happen to you

All claim providers created equally!

Today the most common issue SharePoint administrators find with an authentication claim provider is that any name you type in the People Picker, SharePoint will accept.  Even worse, with a typical claims provider you can type nonsense and you will see two results, neither of them valid!

Not Valid

Credit:Kirk Evans Microsoft Blog

This is not because the SharePoint People Picker needs to be fixed, it's working as designed, it is a result of the claim provider.

The EmpowerID SharePoint Manager solves this problem, we have created the most intelligent claim provider in the market today.  In doing so we set out to do 4 things which will have a huge impact on the day to day operations of your SharePoint site.


1. Create the most intelligent claim provider in the world.  We didn't stop at providing intelligent responses to the query, we also segregate the data so that delegated administrators can only view results for data that they can see.  This is a very important point, if a business partner administrator wants to grant someone rights to a site the EmpowerID data filtering and masking is still maintained.

Screen Shot 06 24 15 at 10.18 AM

2. Provide SharePoint "web parts".  This is technology that allows users to find new sites and request access to it.  It also allows site administrators to approve site access, all directly within SharePoint.Screen Shot 06 24 15 at 10.09 AM
3. Fully support federated or claims based authentication into SharePoint.  Users can authenticate with EmpowerID, bring their own social identity or use another.

Screen Shot 06 24 15 at 10.03 AM


4. Answer the "Why" question.  Why does someone have access and when was it granted?  The other side a SharePoint claim provider is tracking these finer details.  EmpowerID includes full certification and attestation for SharePoint access, this provides your enterprise with a host of risk controls not previously available.

Screen Shot 06 24 15 at 10.25 AM

Want to know more?

Watch a previously recorded webinar that discusses these points here

click the button to request more information.

Request a Demo
EID SPFull resized 600


Tags: Single Sign-on (SSO), authentication, Governance and Regulatory Compliance, Federation, User provisioning, Data Governance, Attestation, consumers, SAML, SharePoint, Access Governance, SSO

Data breaches continue to grow in Healthcare sector

Posted by Chris Hayes on Tue, May 26, 2015

Internal employees continue to pose biggest risk in security breaches.

Screen Shot 05 26 15 at 10.13 AM resized 600

Latest Experian security forecast - Cost of breaches in the healthcare industry could reach $5.6 billion annually.

How will the next identity spill happen?  The latest Experian data breach industry forecast points to your employees being the biggest threat.  Stronger external authentication and tighter protocols continue to miss the mark.  Employee negligence will continue to be the leading cause of security incidents in 2015.

Experian goes on to state that Healthcare breaches will continue to grow this year.  With the huge challenge of securing such a significant amount of data, the problem becomes even more serious when organizations are faced with a shortage of internal expertise.  With the majority of breaches originating from inside company walls, the report clearly indicates business leaders need to fight the root cause of data breaches rather than buy the latest security widgets.

What are some steps that you can take in your organization to prevent the next identity spill?

Preforming regular certification/attestation of access – At any time you need to be able to snapshot the access granted to a resource by roles, locations and person accounts.  Security assignments should be automated, but access should be certified and routed to an appropriate authorized person for review.  This review should verify the access and certify if it is valid or not.  A tool like EmpowerID makes certifications easy for the organization with scheduled certification and attestation policies that can be run and audited.

Implement automated provisioning/deprovisioning – Role based or attribute based access needs to be automatically and immediately provisioned or deprovisioned.  When an employee’s role changes, the resultant set of access needs to be calculated instantly.  Some application and resource access will be taken away and some will be granted.  Absence of role based deprovisioning is a root cause of an employee having too much access.  EmpowerID takes provisioning to the next level by allowing you to provision and deprovision based upon roles in the organization.

Implement RBAC & ABAC controls - You need an RBAC/ABAC engine to continuously evaluate how much access someone should or shouldn't have.  EmpowerID uses a hybrid approach with RBAC and ABAC adding in rules and even Separation of Duties enforcement.

Control access to applications via a central identity provider - Having users log into apps with a separate username and password is a recipe for disaster.  An IdP allows you to centrally validate someone’s identity and then assert that identity into applications wherever they are.  The EmpowerID IdP allows employees to search for applications that are granted for their role, removes ones that are not granted and provides the SSO into the application.

Provide Self-Service password reset - Let's face it, this not only tightens up security, but saves a lot of money.  EmpowerID provides full detailed audit trails of anything account related such as who changed the password, who approved it and more.

Implement strong authentication, regardless of the application - There are a lot of ways to get into your network.  The VPN, the email server and SaaS applications are all exposed entries into the protected network.  Do they all have the same authentication capabilities?  You need an authentication service that supports all the protocols, not just those most used.  EmpowerID can step up authentication at any level for any service.  The VPN, the routers, the SaaS apps, SharePoint, it doesn't matter.

The bottom line is this, an ounce of prevention is better than a pound of cure.  According to Experian the average cost per lost record is just under $200 dollars, with average total impact cost to your organization just under $4 million.  Click through below and let us show you how easy it is to automate access and control privilege in your environment.

Request a Demo

Tags: GRC, authentication, IAG, IAM, Identity and Access Management (IAM), Access Governance

AWS & Azure the new access management silos, says Patrick Parker @ EIC 2015

Posted by Chris Hayes on Wed, May 06, 2015

20150505 171359

“Organizations need to have the tools to manage these new access silos,” he told the opening session of the 2015 European Identity & Cloud (EIC) conference taking place in Munich.

During his Keynote discussion on day 1 Patrick identified the many limitations when managing new access silos in AWS and Azure.  

During day 2 Patrick discussed the role of IAM in hack prevention highlighting the recent Sony Pictures hack.

DSC 0016 resized 600

If you're around on the 7th you can catch his IAM best practices discussion from 12:00-13:00 PM or stop by for a discussion or deep dive demo to see what makes empowerID the best IAM Suite in the market today.  For those unable to attend in person empowerID will be sharing the presentations in the near future.

 

Request a Demo

Tags: Active Directory, IAM, Attestation, Identity and Access Management (IAM), Access Governance

Adaptive 2-Factor Authentication for Citrix Netscaler

Posted by Chris Hayes on Thu, Apr 30, 2015

2-Factor for Citrix via empowerID

What is Adaptive authentication? By definition something adaptive should have a capacity or tendency toward adaptation when faced with different scenarios. empowerID has taken this concept and applied it to our class leading Radius service for Citrix and other "edge devices" like Cisco, Juniper, Palo Alto, F5 and more.

Having managed many Citrix NetScaler strong authentication projects myself I understand the challenges faced when enabling 2-factor authentication with NetScaler products.

Common questions that you should ask yourself when undertaking a project like this are.
  • What methods does the authentication support?
  • Can I migrate users by groups in the back end rather than cut everyone over at the same time?
  • What kind of logging and reporting is available?
  • How scalable is the solution?
  • How are the configurations stored?
So we know some of the questions you need to be aware of, let's walk through an empowerID workflow for Citrix NetScaler below.

 

Adaptive Auth for Citrix

  1. Multiple users go to login to the NetScaler
  2. The NetScaler takes in a username and password
  3. This information is passed to empowerID's Radius endpoint
  4. empowerID looks at the group membership of the user
  5. One user will go through 2-factor authentication
  6. One user will go through Single Factor authentication
  7. Both users will be presented with the same information after authentication
This truly adaptive model means you can migrate some your users to 2-factor authentication while keeping some at single factor authentication.

So let's get back to a few key points:
  1. What methods does the authentication support?
  • Can I migrate users by groups in the back end rather than cut everyone over at the same time?
    • Fully supported, keep everyone going to the SAML login page and empowerID will determine if the user needs 2-factor or single factor authentication.
  • What kind of logging and reporting is available?
    • empowerID's audit and reporting engine leads the pack when it comes to real time reporting and auditing.  While other products can't push reports up to a central audit point empowerID doesn't have the same limitations.  Built from the ground up to scale you can log into one place and review all audit reports.
  • How scalable is the solution?
  • How are the configurations stored?
    • empowerID configurations are stored in a database, the way it should be done.  Not in flat web.config or .conf files, these aren't methods that scale.

    Ready to learn more?

     Request a Demo

    Tags: Active Directory, IAM, Identity Management, SAML, Citrix, Palo Alto, Identity and Access Management (IAM), Radius, 2-Factor, Cisco