IAM Role Mining Powered by Machine Learning Algorithms

Posted by Chris Hayes on Mon, Feb 01, 2016


One of the largest issues facing an organizations identity and access management project is the task of creating appropriate management and business roles and the access those roles should provide.  We can all take a look at the structure of a company and say they should have an IT role, a Sales role, an HR role and Executive roles but what about trying to map out the permissions that large groups of people already have?

EmpowerID is excited to introduce Role Mining Campaigns powered by our unique machine learning algorithms.  EmpowerID simply inventories your systems allowing you to pick the data to include in the role campaign.  We then pull in the relevant entitlement data based on what you are targeting for the campaign, this can be user information, group membership, NTFS & folder permission, SharePoint rights and more.

The next step is to create Runs, these runs simply output optimized candidate roles based on all parameters (called bottom up role mining).  We then create a clustered entitlement map with ranked candidate roles allowing you to visualize this data on the map looking at overlap for roles as seen below.


As seen above, you can just at the current pockets of access assignments and create it as a possible candidate role!  This process not only saves so much time but also ensures you are taking a holistic look at the current rights.


We also allow you to see if this will possibly create a Separation of Duties policy violation before you create it as seen above.

Or maybe you'd like to hand pick your roles?  Below you can see we've just hand selected our roles and can now publish them.  This easily allows you to promote them to management roles or business roles while still optimizing to remove all of the direct assignments that the role grants.


With full support for both top down and bottom up role mining, EmpowerID continues to deliver the best product in the IAM space, saving you time and money!  Reach out today to learn more!

Request a Demo

EmpowerID Rings in 2016 with free Office 365 Manager Licenses

Posted by Chris Hayes on Wed, Jan 06, 2016

2016.jpgFree Office 365 Manager license with every User/Group Manager purchase!

EmpowerID is excited to announce starting Friday January 1, 2016 through Thursday March 31, 2016 we will be including our Office 365 Manager for free with every User Manager, Group Manager, or Exchange Manager purchase!  To receive this special deal, contact EmpowerID Sales today.

EmpowerID's New Year’s resolution is to help customers eliminate the user login hassle with SSO and unburden IT admins from repetitive Identity and Access administration tasks.  The EmpowerID Office 365 Manager allows organizations to securely administrate all aspects of Microsoft's Office 365 environment.  

Office 365 Manager extends the capabilities of EmpowerID User Manager and Group Manager to Microsoft’s Office 365 platform by providing these capabilities:

  • Single Sign-On (SSO)
  • Role-Based Delegated Administration (RBAC)
  • Automated Provisioning and Sync
  • Dynamic Group Management of Security and Distribution Groups
  • Multi-Factor Authentication
  • Access Recertification and Audit Reporting
  • Mailbox and Folder Permission Audit, Management, and Self-Service
  • Provides broader management functionality than Microsoft’s standalone admin tools

Not only can the EmpowerID platform consolidate all of your Office 365 management tasks, it can also provide a single set of friendly web and mobile interfaces for all of your Cloud and on-premise systems, including Active Directory, LDAP and enterprise applications.


Ready to learn more?

Request a Demo

Tags: Office 365

Encryption of IAM Data

Posted by Chris Hayes on Thu, Dec 17, 2015


2015 was a rough year for Identity and Access Management news.  Digital toymaker VTech lost 6.4 million children's names, birthdates, parents' email, mailing addresses and more.  Ashley Madison's data was exposed including email addresses, chat message data and more.  AT&T just agreed to pay $25 million as a result of 275,000 exposed customer names and other information.  Customer and employee identity data is extremely valuable.

Here at EmpowerID we've been working diligently to support an easy to use method of encryption for data stored in our Identity Warehouse.  We are now excited to fully support encryption of all data we inventory and store.  This means if someone gets access to data files on a server or to backups, your data is still protected!

By encrypting data at rest we can now prevent malicious parties from getting the database files and restoring them onto a system and browsing personally identifiable information (PII).  Identity data is encrypted using AES256 which also ensures compliance with many laws, regulations, and guidelines in different industries.

Below, encryption hierarchy with dotted lines representing the encryption used by TDE, courtesy of Microsoft



Supporting real-time I/O encryption of the EmpowerID 2016 Identity Warehouse means that the data is encrypted before even being written to disk and only decrypted when read into memory.  Verification is easy enough once the process is complete

 Below we can easily verify that the encryption process is complete.


Once encryption is complete you can look through backups to verify the data is encrypted.  Below on the left you can easily see unencrypted data containing PII, following encryption you can see a backup of the same database is now fully encrypted and unreadable.


If someone were able to get the Identity Warehouse database they would be unable to load it up to recover the data as you can see below.


So make 2016 the year you commit to encrypting employee and consumer data and the year you lower your exposure to data leaks!  Give us a call or click the link below for a quick demo of the EmpowerID difference.

Request a Demo

Enterprise IAM Controls for Resources in Amazon Web Services

Posted by Chris Hayes on Mon, Oct 19, 2015

Deploying servers out in AWS is great for a number of reasons; saving money, elastic capacity, increased speed.  There is a host of reasons that we won't even get into here.  One of the most important aspects of utilizing AWS is remembering the "Shared Responsibility Model" which basically says that you, the customer, are their partner when it comes to security and access controls for resources hosted in AWS.  

Amazon goes on to state that, "While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter."



All of that basically boils down to the cold, hard fact that you, the Amazon customer, need a comprehensive Identity and Access Management tool deployed to secure your resources in AWS.  EmpowerID customers have asked for a better solution for this emerging paradigm and our development team has delivered in the form of our EmpowerID AWS Manager.


Built from the ground up to deliver functionality not typically seen in an Identity and Access Management suite, our team has packed the AWS Manager with a lot of functionality.  Securing and managing RDP access, setting server uptime policies, even having the ability to directly start and stop servers in AWS directly from a dashboard ensures that you have total command over all aspects of your AWS environment.

Also included in the AWS Manager from EmpowerID is the ability to publish into our award winning IT Shop.  Business users can now find and request access to these resources.  Once requested, EmpowerID will send that request to an access owner who can approve it or reject it, and the user will be notified of the results!



The EmpowerID team is very excited about this new offering and will be hosting a webinar on October 29th at 1:00 pm Eastern, please follow the link and register today.

Topics will include:

  • Managing RDP access with enterprise policies
  • Managing uptime policies and time constraints for Servers hosted in AWS
  • Managing Privileged Vaulted Credentials
  • Reviewing Audit Logs

Give us a call or click the link below for a quick demo of the EmpowerID difference.

Request a Demo

Adding Intelligence to Active Directory with an Identity Warehouse

Posted by Chris Hayes on Wed, Sep 30, 2015

According to Microsoft, Active Directory™ service provides user and computer accounts and distribution and security groups.  This service is essential when trying to allow people to log into Microsoft Windows Workstations and running things like Group Policy's, publishing printers and providing DNS/DHCP services.

In a simple world, an architecture like this can sometimes suffice.


Where Active Directory comes up short is when you are trying to manage a global distribution of different domains.  Or trying to create an automated process that will create mailboxes in Office 365, automatically add someone to a group when their identity is created or they move to a different office.  When you want to assign an access owner to a file share and have all request for access to that share filter up to that person rather than have everyone call the helpdesk.

These are the reasons the EmpowerID Identity Warehouse was created.  We recognized the need for fine grained authorization and approval workflows and included them.  We knew the Identity Warehouse needed comprehensive RBAC and ABAC capabilities along with delegations and location awareness so we added that in too.

In a more complex world you need an Identity Warehouse


Only with an Identity Warehouse can you automate tasks like:

  • Create an Active Directory account based upon a new record in something like UltiPro, SAP or PeopleSoft
  • Assign group membership based upon a Role, Attribute or Location
  • Assign business users as "Access Owners" or gatekeepers for file shares, SharePoint sites and more.
  • Create and perform Audits, Certifications and Attestations
  • Provide fine grained authorization at an API level for other applications and services
  • Allow for self-registration of an account for your consumers and business partners
  • Create and publish any other type of workflow

The EmpowerID Identity Warehouse contains important entitlement and authorization data for your organization.  This information is updated regularly from other databases and data stores and you get to decide how each attribute flows.  The Identity Warehouse also contains all of the statistical and analytical tools required to give you an up to date view related to risk, governance and compliance.


Here are a few more examples of how you can use the EmpowerID Identity Warehouse:


The EmpowerID Identity Warehouse plays a critical role in your fast growing infrastructure.  Ensuring that the security controls you need in place strictly follow the business rules is really what it's all about.  We like to think of Active Directory as the motor and EmpowerID as the powertrain control module, taking in all of the sensor data and determining the exact air/fuel mixtures to ensure everything runs correctly.  It's this same concept between the Identity Warehouse and Active Directory, we monitor everything and determine just what needs to be done at the lower level of Active Directory.

Want to find out more, click through and request a quick demo.

Request a Demo


Introducing an Enterprise Toolset to Manage Amazon's Simple AD

Posted by Chris Hayes on Mon, Sep 14, 2015

Ready for another directory store?

EmpowerID is excited to announce new capabilities for managing identities and groups in Amazon's Simple AD!  This off premise directory from Amazon can be managed using the EmpowerID robust connector framework with features like:

  • Scheduled inventory to see what is out in Amazon's Simple AD
  • Automated User Account Provisioning using EmpowerID RBAC and ABAC rules
  • Full Audit control
  • Full Attestation and Certification
  • Ties into our unique AWS Server management capabilities

Let's take a deeper dive into the solution and see what accounts are out in our Amazon Simple AD tenant


Found the account we want to work on?  Let's dive a little deeper and add them into a group up in AWS

Screen_Shot_09-14-15_at_10.20_AMLet's review the group changes for the user below



And since we are talking Enterprise Controls, let's track down that change.  Who did it, when did it happen and what changed



As you can see, EmpowerID continues to lead the IAM marketplace with innovative features not found anywhere else.  When it comes to identities, roles and groups in Active Directory, SQL, Amazon AWS, Azure or anything else we have the right tools for the job.

Contact us today for a discussion on how we can help you manage identities in Amazon's Simple AD or anywhere else.

Request a Demo



The Most Important Question in Enterprise Authentication, Could You Answer it?

Posted by Chris Hayes on Wed, Aug 26, 2015


Application Access:  It's easy to provision using the standards and tools today.  Cookies, Headers, SAML, Kerberos, WS-Federation and OpenID, the tools are there and easier than ever to configure.  Salesforce.com, Office 365, SharePoint, Box and more your users are getting into these applications without logging in multiple times (we hope, if not check out EmpowerID SSO).  For many organizations this is how the story goes.

  • User A needs access to Application B
  • User logs into a webserver with a credential
  • Webserver validates that credential
  • Webserver redirects User A to Application B
  • User A is in Application B
  • End of story
Yea, basic SSO portal right there

Yes, this is the basics of authentication, an SSO portal

But intelligent organizations should ask themselves questions like:

  • How long should User A have access to that application?
  • Who should authorize that User A should even have access to Application B?
  • How often should we review that User A should still have access to Application B?

Why are these important questions?  In IT we just know that access should be given or taken away.  We typically don't get involved in trying to answer a question like why should someone have access.  It's for this reason that many environments have layers and layers of access that's been granted, like a sediment layer, access has been given and never removed.  Nobody has ever bothered to ask the question why does this user have access to this application.

Enter the most important question in authentication today.  Why does a user have access to an application?  If we can answer that question than the other related questions fall into place, who gave them access and how long should that access last.  Before you start breaking out excel spreadsheets and walking the floors asking this question, let us propose a different route called automated attestation and certification.

EmpowerID ships with attestation, audit capabilities that slice and dice these tasks and automatically send them out to managers.  EmpowerID allows audit officers to choose what they want to certify allowing them to choose things like:

  • Groups
  • Applications
  • SharePoint sites
  • Files shares
  • And more

Once an auditor sets a date for the audit to be complete EmpowerID will automatically generate tasks for managers who can comment and certify as they see fit.


Audit owners can go in and review progress on the certification at any time to ensure you are on track.  


EmpowerID Attestation and Certification audits are all kept historically too so no matter when that question comes up you can always go back and see who certified the access and for what reason the access was granted.  Best of all, when that manager certifies that access EmpowerID allows the manager to specify how long that access should be valid for.  So short-term employee and vendor access just got that much easier to manage!

If you would like to discuss Attestation and Certification in more detail please click the link below and we will reach out.

Request a Demo

FIM vs EmpowerID - Building Identity Bridges That Scale

Posted by Chris Hayes on Mon, Aug 03, 2015

Microsoft FIM/Identity Manager is one of those tools that many organizations start out with when dealing with identity synchronization projects.  Testing the waters many times it's setup to flow identities and attributes to and from an HR database or even another Active Directory Forest.  When dealing with a few identities it works well enough but start asking it to deal with 10's of thousands of identities and millions of attribute changes and you had better clear your calendar for the rest of the week.


The problem many start to recognize is that the FIM sync engine is like a single lane bridge between identity stores.  Works great when you are servicing a very small town but when you are trying to service a busy city things will start backing up quickly.  The result of this architectural limitation of FIM can cause sync jobs can run days, even a week and in today's instant on/instant off world this can create serious issues.  When you disable an account in your directory store, expectations are that the change will be reflected in other directories pretty quickly, not in a week.



EmpowerID was built from the ground up to be truly scalable, each lane can be another EmpowerID server checking in to help process sync jobs to other identity stores.  Our distributable and scalable multi-instance sync engine is capable of handling the largest and most demanding environments with billions of objects being handled on time, every time.

The EmpowerID Inventory and Sync engines manage data housed in the Metadirectory allowing you to determine attribute flow between connected systems following these flow rules which you can configure for each account store we connect to.

  • No Sync: When this option is selected, no information flows between EmpowerID and the native system.
  • Bidirectional Flow: When this option is selected, changes made within EmpowerID update the native system and vice-versa.
  • Account Store Changes Only: When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
  • EmpowerID Changes Only: When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.

EmpowerID has created the best sync engine in the world giving you fine grained control over all aspects identity, group, role and attribute synchronization.  Give us a call or click the link below for a quick demo of the EmpowerID difference.

Request a Demo

EmpowerID Inserts Intelligence into 2013 SharePoint People Picker

Posted by Chris Hayes on Wed, Jun 24, 2015


The SharePoint 2013 People Picker is the tool you use to find and select users, groups and claims to grant someone a permission to a site in SharePoint.  The SharePoint 2013 People Picker is heavily dependent on how authentication is configured for your site so you need to ensure your SAML or claim provider is intelligent.

Don't let this happen to you

All claim providers created equally!

Today the most common issue SharePoint administrators find with an authentication claim provider is that any name you type in the People Picker, SharePoint will accept.  Even worse, with a typical claims provider you can type nonsense and you will see two results, neither of them valid!

Not Valid

Credit:Kirk Evans Microsoft Blog

This is not because the SharePoint People Picker needs to be fixed, it's working as designed, it is a result of the claim provider.

The EmpowerID SharePoint Manager solves this problem, we have created the most intelligent claim provider in the market today.  In doing so we set out to do 4 things which will have a huge impact on the day to day operations of your SharePoint site.

1. Create the most intelligent claim provider in the world.  We didn't stop at providing intelligent responses to the query, we also segregate the data so that delegated administrators can only view results for data that they can see.  This is a very important point, if a business partner administrator wants to grant someone rights to a site the EmpowerID data filtering and masking is still maintained.

Screen Shot 06 24 15 at 10.18 AM

2. Provide SharePoint "web parts".  This is technology that allows users to find new sites and request access to it.  It also allows site administrators to approve site access, all directly within SharePoint.Screen Shot 06 24 15 at 10.09 AM
3. Fully support federated or claims based authentication into SharePoint.  Users can authenticate with EmpowerID, bring their own social identity or use another.

Screen Shot 06 24 15 at 10.03 AM

4. Answer the "Why" question.  Why does someone have access and when was it granted?  The other side a SharePoint claim provider is tracking these finer details.  EmpowerID includes full certification and attestation for SharePoint access, this provides your enterprise with a host of risk controls not previously available.

Screen Shot 06 24 15 at 10.25 AM

Want to know more?

Watch a previously recorded webinar that discusses these points here

click the button to request more information.

Request a Demo
EID SPFull resized 600

Tags: Single Sign-on (SSO), authentication, Governance and Regulatory Compliance, Federation, User provisioning, Data Governance, Attestation, consumers, SAML, SharePoint, Access Governance, SSO

Data breaches continue to grow in Healthcare sector

Posted by Chris Hayes on Tue, May 26, 2015

Internal employees continue to pose biggest risk in security breaches.

Screen Shot 05 26 15 at 10.13 AM resized 600

Latest Experian security forecast - Cost of breaches in the healthcare industry could reach $5.6 billion annually.

How will the next identity spill happen?  The latest Experian data breach industry forecast points to your employees being the biggest threat.  Stronger external authentication and tighter protocols continue to miss the mark.  Employee negligence will continue to be the leading cause of security incidents in 2015.

Experian goes on to state that Healthcare breaches will continue to grow this year.  With the huge challenge of securing such a significant amount of data, the problem becomes even more serious when organizations are faced with a shortage of internal expertise.  With the majority of breaches originating from inside company walls, the report clearly indicates business leaders need to fight the root cause of data breaches rather than buy the latest security widgets.

What are some steps that you can take in your organization to prevent the next identity spill?

Preforming regular certification/attestation of access – At any time you need to be able to snapshot the access granted to a resource by roles, locations and person accounts.  Security assignments should be automated, but access should be certified and routed to an appropriate authorized person for review.  This review should verify the access and certify if it is valid or not.  A tool like EmpowerID makes certifications easy for the organization with scheduled certification and attestation policies that can be run and audited.

Implement automated provisioning/deprovisioning – Role based or attribute based access needs to be automatically and immediately provisioned or deprovisioned.  When an employee’s role changes, the resultant set of access needs to be calculated instantly.  Some application and resource access will be taken away and some will be granted.  Absence of role based deprovisioning is a root cause of an employee having too much access.  EmpowerID takes provisioning to the next level by allowing you to provision and deprovision based upon roles in the organization.

Implement RBAC & ABAC controls - You need an RBAC/ABAC engine to continuously evaluate how much access someone should or shouldn't have.  EmpowerID uses a hybrid approach with RBAC and ABAC adding in rules and even Separation of Duties enforcement.

Control access to applications via a central identity provider - Having users log into apps with a separate username and password is a recipe for disaster.  An IdP allows you to centrally validate someone’s identity and then assert that identity into applications wherever they are.  The EmpowerID IdP allows employees to search for applications that are granted for their role, removes ones that are not granted and provides the SSO into the application.

Provide Self-Service password reset - Let's face it, this not only tightens up security, but saves a lot of money.  EmpowerID provides full detailed audit trails of anything account related such as who changed the password, who approved it and more.

Implement strong authentication, regardless of the application - There are a lot of ways to get into your network.  The VPN, the email server and SaaS applications are all exposed entries into the protected network.  Do they all have the same authentication capabilities?  You need an authentication service that supports all the protocols, not just those most used.  EmpowerID can step up authentication at any level for any service.  The VPN, the routers, the SaaS apps, SharePoint, it doesn't matter.

The bottom line is this, an ounce of prevention is better than a pound of cure.  According to Experian the average cost per lost record is just under $200 dollars, with average total impact cost to your organization just under $4 million.  Click through below and let us show you how easy it is to automate access and control privilege in your environment.

Request a Demo

Tags: GRC, authentication, IAG, IAM, Identity and Access Management (IAM), Access Governance

Content not found