The SharePoint 2013 People Picker is the tool you use to find and select users, groups and claims to grant someone a permission to a site in SharePoint.  The SharePoint 2013 People Picker is heavily dependent on how authentication is configured for your site so you need to ensure your SAML or claim provider is intelligent.

All claim providers created equally!

Today the most common issue SharePoint administrators find with an authentication claim provider is that any name you type in the People Picker, SharePoint will accept.  Even worse, with a typical claims provider you can type nonsense and you will see two results, neither of them valid!

Credit:Kirk Evans Microsoft Blog

This is not because the SharePoint People Picker needs to be fixed, it's working as designed, it is a result of the claim provider.

The EmpowerID SharePoint Manager solves this problem, we have created the most intelligent claim provider in the market today.  In doing so we set out to do 4 things which will have a huge impact on the day to day operations of your SharePoint site.

1. Create the most intelligent claim provider in the world.  We didn't stop at providing intelligent responses to the query, we also segregate the data so that delegated administrators can only view results for data that they can see.  This is a very important point, if a business partner administrator wants to grant someone rights to a site the EmpowerID data filtering and masking is still maintained.

2. Provide SharePoint "web parts".  This is technology that allows users to find new sites and request access to it.  It also allows site administrators to approve site access, all directly within SharePoint.
3. Fully support federated or claims based authentication into SharePoint.  Users can authenticate with EmpowerID, bring their own social identity or use another.

4. Answer the "Why" question.  Why does someone have access and when was it granted?  The other side a SharePoint claim provider is tracking these finer details.  EmpowerID includes full certification and attestation for SharePoint access, this provides your enterprise with a host of risk controls not previously available.

Want to know more?

Watch a previously recorded webinar that discusses these points here

click the button to request more information.

Internal employees continue to pose biggest risk in security breaches.

Latest Experian security forecast - Cost of breaches in the healthcare industry could reach $5.6 billion annually.

How will the next identity spill happen?  The latest Experian data breach industry forecast points to your employees being the biggest threat.  Stronger external authentication and tighter protocols continue to miss the mark.  Employee negligence will continue to be the leading cause of security incidents in 2015.

Experian goes on to state that Healthcare breaches will continue to grow this year.  With the huge challenge of securing such a significant amount of data, the problem becomes even more serious when organizations are faced with a shortage of internal expertise.  With the majority of breaches originating from inside company walls, the report clearly indicates business leaders need to fight the root cause of data breaches rather than buy the latest security widgets.

What are some steps that you can take in your organization to prevent the next identity spill?

• Perform regular certification or attestation of application or role access.
• Implement automated provisioning and deprovisioning of identities
• Implement Role Based Access Control and Attribute Based Access Control
• Control  access to applications via a central identity provider
• Provide Self-Service password reset
• Implement strong authentication, regardless of the application

Preforming regular certification/attestation of access – At any time you need to be able to snapshot the access granted to a resource by roles, locations and person accounts.  Security assignments should be automated, but access should be certified and routed to an appropriate authorized person for review.  This review should verify the access and certify if it is valid or not.  A tool like EmpowerID makes certifications easy for the organization with scheduled certification and attestation policies that can be run and audited.

Implement automated provisioning/deprovisioning – Role based or attribute based access needs to be automatically and immediately provisioned or deprovisioned.  When an employee’s role changes, the resultant set of access needs to be calculated instantly.  Some application and resource access will be taken away and some will be granted.  Absence of role based deprovisioning is a root cause of an employee having too much access.  EmpowerID takes provisioning to the next level by allowing you to provision and deprovision based upon roles in the organization.

Implement RBAC & ABAC controls - You need an RBAC/ABAC engine to continuously evaluate how much access someone should or shouldn't have.  EmpowerID uses a hybrid approach with RBAC and ABAC adding in rules and even Separation of Duties enforcement.

Control access to applications via a central identity provider - Having users log into apps with a separate username and password is a recipe for disaster.  An IdP allows you to centrally validate someone’s identity and then assert that identity into applications wherever they are.  The EmpowerID IdP allows employees to search for applications that are granted for their role, removes ones that are not granted and provides the SSO into the application.

Provide Self-Service password reset - Let's face it, this not only tightens up security, but saves a lot of money.  EmpowerID provides full detailed audit trails of anything account related such as who changed the password, who approved it and more.

Implement strong authentication, regardless of the application - There are a lot of ways to get into your network.  The VPN, the email server and SaaS applications are all exposed entries into the protected network.  Do they all have the same authentication capabilities?  You need an authentication service that supports all the protocols, not just those most used.  EmpowerID can step up authentication at any level for any service.  The VPN, the routers, the SaaS apps, SharePoint, it doesn't matter.

The bottom line is this, an ounce of prevention is better than a pound of cure.  According to Experian the average cost per lost record is just under $200 dollars, with average total impact cost to your organization just under $4 million.  Click through below and let us show you how easy it is to automate access and control privilege in your environment.

“Organizations need to have the tools to manage these new access silos,” he told the opening session of the 2015 European Identity & Cloud (EIC) conference taking place in Munich.

During his Keynote discussion on day 1 Patrick identified the many limitations when managing new access silos in AWS and Azure.  

During day 2 Patrick discussed the role of IAM in hack prevention highlighting the recent Sony Pictures hack.

If you're around on the 7th you can catch his IAM best practices discussion from 12:00-13:00 PM or stop by for a discussion or deep dive demo to see what makes empowerID the best IAM Suite in the market today.  For those unable to attend in person empowerID will be sharing the presentations in the near future.

 

What is Adaptive authentication? By definition something adaptive should have a capacity or tendency toward adaptation when faced with different scenarios. empowerID has taken this concept and applied it to our class leading Radius service for Citrix and other "edge devices" like Cisco, Juniper, Palo Alto, F5 and more.

Having managed many Citrix NetScaler strong authentication projects myself I understand the challenges faced when enabling 2-factor authentication with NetScaler products.

Common questions that you should ask yourself when undertaking a project like this are.

• What methods does the authentication support?
• Can I migrate users by groups in the back end rather than cut everyone over at the same time?
• What kind of logging and reporting is available?
• How scalable is the solution?
• How are the configurations stored?

So we know some of the questions you need to be aware of, let's walk through an empowerID workflow for Citrix NetScaler below.

 

1. Multiple users go to login to the NetScaler
2. The NetScaler takes in a username and password
3. This information is passed to empowerID's Radius endpoint
4. empowerID looks at the group membership of the user
5. One user will go through 2-factor authentication
6. One user will go through Single Factor authentication
7. Both users will be presented with the same information after authentication

This truly adaptive model means you can migrate some your users to 2-factor authentication while keeping some at single factor authentication.

So let's get back to a few key points:

1. What methods does the authentication support?

• empowerID supports Radius, LDAP, SAML, WS-Federation, WS-Trust, OAuth and more

Can I migrate users by groups in the back end rather than cut everyone over at the same time?

• Fully supported, keep everyone going to the SAML login page and empowerID will determine if the user needs 2-factor or single factor authentication.

What kind of logging and reporting is available?

• empowerID's audit and reporting engine leads the pack when it comes to real time reporting and auditing.  While other products can't push reports up to a central audit point empowerID doesn't have the same limitations.  Built from the ground up to scale you can log into one place and review all audit reports.

How scalable is the solution?

• 3-tier architecture model means you can easily scale to millions of users.

How are the configurations stored?

• empowerID configurations are stored in a database, the way it should be done.  Not in flat web.config or .conf files, these aren't methods that scale.

Ready to learn more?

 

 

empowerID is excited to announce that CEO Patrick Parker will present at the European Identity & Cloud Conference (EIC) hosted by KuppingerCole on May 5-8 at the Dolce BallhausForum Unterschleissheim in Munich, Germany.

Patrick's session entitled "How to Manage Authorizations in Cloud Services" takes place on Tuesday, May 5

Topics covered will include:

• The race to transplant onsite infrastructure and applications to the Cloud
• How to enable strong yet flexible control over authorization
• How to approache the challenge of role and attribute-based authorization
• Patrick will give an overview of the authorization capabilities offered by the Microsoft Azure and Amazon AWS platforms and include best practice suggestions.

Everyone's heard of Single Sign On or SSO.  By helping your end users get through their day, it allows them to first validate their enterprise identity and then seamlessly get into all of their enterprise applications.

The ugly secret of the SSO landscape is the lack of any real access control.  If you need to provide access to an application like Salesforce you have to add them into an Active Directory group.  That is simply not something that scales and will instantly become an administrative burden.  Let's not even get into what happens when that person moves to a new department, are you really going and removing them from the groups they shouldn't have access to anymore?

EmpowerID has created the world's first integrated Role Based Access Control (RBAC) and SSO mechanism that allows you to assign resources like salesforce.com to a business role not a group.  This gives you unprecedented flexibility to assign resources to things like SharePoint, Salesforce or whatever the application is.

With EmpowerID you can assign resources to specific roles, like the example above where bank tellers in will be part of different active director groups but they can all be assigned the "Teller Business Role" and as such be allowed to access common resources for that role.  We've made it simple for you as an administrator too, manage these rules right through the EmpowerID WebAdmin console like you see below.

Reach out and we can walk you through how to add intelligence into your SSO engine today.