The SharePoint 2013 People Picker is the tool you use to find and select users, groups and claims to grant someone a permission to a site in SharePoint.  The SharePoint 2013 People Picker is heavily dependent on how authentication is configured for your site so you need to ensure your SAML or claim provider is intelligent.

All claim providers created equally!

Today the most common issue SharePoint administrators find with an authentication claim provider is that any name you type in the People Picker, SharePoint will accept.  Even worse, with a typical claims provider you can type nonsense and you will see two results, neither of them valid!

Credit:Kirk Evans Microsoft Blog

This is not because the SharePoint People Picker needs to be fixed, it's working as designed, it is a result of the claim provider.

The EmpowerID SharePoint Manager solves this problem, we have created the most intelligent claim provider in the market today.  In doing so we set out to do 4 things which will have a huge impact on the day to day operations of your SharePoint site.

1. Create the most intelligent claim provider in the world.  We didn't stop at providing intelligent responses to the query, we also segregate the data so that delegated administrators can only view results for data that they can see.  This is a very important point, if a business partner administrator wants to grant someone rights to a site the EmpowerID data filtering and masking is still maintained.

2. Provide SharePoint "web parts".  This is technology that allows users to find new sites and request access to it.  It also allows site administrators to approve site access, all directly within SharePoint.
3. Fully support federated or claims based authentication into SharePoint.  Users can authenticate with EmpowerID, bring their own social identity or use another.

4. Answer the "Why" question.  Why does someone have access and when was it granted?  The other side a SharePoint claim provider is tracking these finer details.  EmpowerID includes full certification and attestation for SharePoint access, this provides your enterprise with a host of risk controls not previously available.

Want to know more?

Watch a previously recorded webinar that discusses these points here

click the button to request more information.

Internal employees continue to pose biggest risk in security breaches.

Latest Experian security forecast - Cost of breaches in the healthcare industry could reach $5.6 billion annually.

How will the next identity spill happen?  The latest Experian data breach industry forecast points to your employees being the biggest threat.  Stronger external authentication and tighter protocols continue to miss the mark.  Employee negligence will continue to be the leading cause of security incidents in 2015.

Experian goes on to state that Healthcare breaches will continue to grow this year.  With the huge challenge of securing such a significant amount of data, the problem becomes even more serious when organizations are faced with a shortage of internal expertise.  With the majority of breaches originating from inside company walls, the report clearly indicates business leaders need to fight the root cause of data breaches rather than buy the latest security widgets.

What are some steps that you can take in your organization to prevent the next identity spill?

• Perform regular certification or attestation of application or role access.
• Implement automated provisioning and deprovisioning of identities
• Implement Role Based Access Control and Attribute Based Access Control
• Control  access to applications via a central identity provider
• Provide Self-Service password reset
• Implement strong authentication, regardless of the application

Preforming regular certification/attestation of access – At any time you need to be able to snapshot the access granted to a resource by roles, locations and person accounts.  Security assignments should be automated, but access should be certified and routed to an appropriate authorized person for review.  This review should verify the access and certify if it is valid or not.  A tool like EmpowerID makes certifications easy for the organization with scheduled certification and attestation policies that can be run and audited.

Implement automated provisioning/deprovisioning – Role based or attribute based access needs to be automatically and immediately provisioned or deprovisioned.  When an employee’s role changes, the resultant set of access needs to be calculated instantly.  Some application and resource access will be taken away and some will be granted.  Absence of role based deprovisioning is a root cause of an employee having too much access.  EmpowerID takes provisioning to the next level by allowing you to provision and deprovision based upon roles in the organization.

Implement RBAC & ABAC controls - You need an RBAC/ABAC engine to continuously evaluate how much access someone should or shouldn't have.  EmpowerID uses a hybrid approach with RBAC and ABAC adding in rules and even Separation of Duties enforcement.

Control access to applications via a central identity provider - Having users log into apps with a separate username and password is a recipe for disaster.  An IdP allows you to centrally validate someone’s identity and then assert that identity into applications wherever they are.  The EmpowerID IdP allows employees to search for applications that are granted for their role, removes ones that are not granted and provides the SSO into the application.

Provide Self-Service password reset - Let's face it, this not only tightens up security, but saves a lot of money.  EmpowerID provides full detailed audit trails of anything account related such as who changed the password, who approved it and more.

Implement strong authentication, regardless of the application - There are a lot of ways to get into your network.  The VPN, the email server and SaaS applications are all exposed entries into the protected network.  Do they all have the same authentication capabilities?  You need an authentication service that supports all the protocols, not just those most used.  EmpowerID can step up authentication at any level for any service.  The VPN, the routers, the SaaS apps, SharePoint, it doesn't matter.

The bottom line is this, an ounce of prevention is better than a pound of cure.  According to Experian the average cost per lost record is just under $200 dollars, with average total impact cost to your organization just under $4 million.  Click through below and let us show you how easy it is to automate access and control privilege in your environment.

“Organizations need to have the tools to manage these new access silos,” he told the opening session of the 2015 European Identity & Cloud (EIC) conference taking place in Munich.

During his Keynote discussion on day 1 Patrick identified the many limitations when managing new access silos in AWS and Azure.  

During day 2 Patrick discussed the role of IAM in hack prevention highlighting the recent Sony Pictures hack.

If you're around on the 7th you can catch his IAM best practices discussion from 12:00-13:00 PM or stop by for a discussion or deep dive demo to see what makes empowerID the best IAM Suite in the market today.  For those unable to attend in person empowerID will be sharing the presentations in the near future.

 

What is Adaptive authentication? By definition something adaptive should have a capacity or tendency toward adaptation when faced with different scenarios. empowerID has taken this concept and applied it to our class leading Radius service for Citrix and other "edge devices" like Cisco, Juniper, Palo Alto, F5 and more.

Having managed many Citrix NetScaler strong authentication projects myself I understand the challenges faced when enabling 2-factor authentication with NetScaler products.

Common questions that you should ask yourself when undertaking a project like this are.

• What methods does the authentication support?
• Can I migrate users by groups in the back end rather than cut everyone over at the same time?
• What kind of logging and reporting is available?
• How scalable is the solution?
• How are the configurations stored?

So we know some of the questions you need to be aware of, let's walk through an empowerID workflow for Citrix NetScaler below.

 

1. Multiple users go to login to the NetScaler
2. The NetScaler takes in a username and password
3. This information is passed to empowerID's Radius endpoint
4. empowerID looks at the group membership of the user
5. One user will go through 2-factor authentication
6. One user will go through Single Factor authentication
7. Both users will be presented with the same information after authentication

This truly adaptive model means you can migrate some your users to 2-factor authentication while keeping some at single factor authentication.

So let's get back to a few key points:

1. What methods does the authentication support?

• empowerID supports Radius, LDAP, SAML, WS-Federation, WS-Trust, OAuth and more

Can I migrate users by groups in the back end rather than cut everyone over at the same time?

• Fully supported, keep everyone going to the SAML login page and empowerID will determine if the user needs 2-factor or single factor authentication.

What kind of logging and reporting is available?

• empowerID's audit and reporting engine leads the pack when it comes to real time reporting and auditing.  While other products can't push reports up to a central audit point empowerID doesn't have the same limitations.  Built from the ground up to scale you can log into one place and review all audit reports.

How scalable is the solution?

• 3-tier architecture model means you can easily scale to millions of users.

How are the configurations stored?

• empowerID configurations are stored in a database, the way it should be done.  Not in flat web.config or .conf files, these aren't methods that scale.

Ready to learn more?

 

 

empowerID is excited to announce that CEO Patrick Parker will present at the European Identity & Cloud Conference (EIC) hosted by KuppingerCole on May 5-8 at the Dolce BallhausForum Unterschleissheim in Munich, Germany.

Patrick's session entitled "How to Manage Authorizations in Cloud Services" takes place on Tuesday, May 5

Topics covered will include:

• The race to transplant onsite infrastructure and applications to the Cloud
• How to enable strong yet flexible control over authorization
• How to approache the challenge of role and attribute-based authorization
• Patrick will give an overview of the authorization capabilities offered by the Microsoft Azure and Amazon AWS platforms and include best practice suggestions.

Everyone's heard of Single Sign On or SSO.  By helping your end users get through their day, it allows them to first validate their enterprise identity and then seamlessly get into all of their enterprise applications.

The ugly secret of the SSO landscape is the lack of any real access control.  If you need to provide access to an application like Salesforce you have to add them into an Active Directory group.  That is simply not something that scales and will instantly become an administrative burden.  Let's not even get into what happens when that person moves to a new department, are you really going and removing them from the groups they shouldn't have access to anymore?

EmpowerID has created the world's first integrated Role Based Access Control (RBAC) and SSO mechanism that allows you to assign resources like salesforce.com to a business role not a group.  This gives you unprecedented flexibility to assign resources to things like SharePoint, Salesforce or whatever the application is.

With EmpowerID you can assign resources to specific roles, like the example above where bank tellers in will be part of different active director groups but they can all be assigned the "Teller Business Role" and as such be allowed to access common resources for that role.  We've made it simple for you as an administrator too, manage these rules right through the EmpowerID WebAdmin console like you see below.

Reach out and we can walk you through how to add intelligence into your SSO engine today.

EmpowerID has been recognized as a three time leader in a recent KuppingerCole report evaluating Identity and Access Management (IAM) / Identity Access Governance (IAG) Product Suites.

The IAM/IAG Leadership Compass “focuses on complete IAM/IAG (Identity Access Management/Governance) suites that ideally cover all major areas of IAM/IAG as a fully integrated offering,” Martin Kuppinger wrote in the report.

KuppingerCole, a respected global analyst focused on Information Security, examined Identity and Access Management / Governance Suites for this report. They specifically evaluated products that are integrated solutions with a broader scope than single-purpose products. Martin Kuppinger concluded in the report, “With their Windows-based product they [EmpowerID] offer one of the best integrated IAM Suites. All components have been built by EmpowerID, allowing for tight integration into a well thought-out architecture. This integrated approach is a clear strength of EmpowerID."

To request an unabridged copy of the the KuppingerCole report on IAM/IAG Suites, please visit http://info.empowerid.com/download-the-free-kuppingercole-iam-suites-leadership-compass.

Picture from toptal.com Why use Node.js

All too often the migration to the cloud involves supporting bits and pieces of software that you didn't expect. These road bumps can easily turn into a major headache for your organizations IT team. Migrations to Office 365 require a "user sync tool" out of the box called DirSync or AAD Sync. These extra pieces of software are difficult to manage, configure and maintain with many companies desperately looking for alternatives.

The EmpowerID Office 365 Manager allows your organization to take control of all aspects during your migration to Office 365.  If you're just starting or have fully cut over to O365 you can now put DirSync out to pasture.

EmpowerID Office 365 Manager allows for:

Single Sign-On Enable - Allowing employees to continue to login to Outlook, OWA, Lync, and SharePoint using their same corporate Active Directory username and password with Microsoft ADFS.

Administration and User Provisioning - Automate provisioning, delegation administration, and de-provisioning all without DirSync or AAD Sync.

Access Governance - Audit and periodically re-certify access to Office 365 mailboxes and groups based upon your organizations specific attestation requirements.

Audit Logging - Keep track of what's happening in your enviroment.  Even have reports emailed to you for review.

Role-Based Delegated Admin - Allow seperate business units to manage their users or even seperate companies.

Self Service Password Management - Stop the high number of password reset calls to your helpdesk.

On top of total governance of Office 365 from an on-premise IAG solution you can also manage multiple tenants from a single Active Directory domain or multiple AD domains to a single tenant, something that is available with EmpowerID. Allowing your organization to manage complex Office 365 deployments means you can ensure new domains can be integrated should the need arise.

If you're ready to learn more you can watch this previously recorded Office 365 demo or shoot us an email and we'll walk you though your options.

                              

Organizations that manage successful brands know what their customers want from a website experience and are able to provide it.

Consumers want simpler processes.  

They want a quick, seamless authentication experience. 

They want to get to a site from any device that is handy at the time, whether it’s a pc, a tablet or a smartphone.

They have lots of choices and they are bombarded with lots of information. Your branding must be visible and the flow of your customer through your site must be smooth so they will have a positive experience, remember you and want to return.

And your security for their identity needs to protect them and you without being obtrusive.

Your prize, if you capture consumers with a well-designed web presence, is a solid foundation for  business growth, faster fulfilment of your clients’ needs, and substantially greater efficiencies that can  reduce costs and drive profitability.

And of course you are supposed to accommodate all that and keep to a modest IT budget… phew!  

Here’s what it’s going to take:

• A highly scalable Single Sign On (SSO) and Identity and Access Management (IAM) platform – one that can take you where your ambition wants to go.  Your IAM infrastructure may need to manage millions of users and tens of thousands of logins an hour.
• Flexible branding – the login process can’t be generic, it and related Single Sign On (SSO) pages need to be customizable to your themes.
• Support for social media logins is a must if you want to simplify the user experience and entice the widest number of users possible.
• Self-service password reset and challenge questions that allows consumers to quickly get back in to your site if they forget their username or their password.
• 2^nd factor authentication capabilities and even identity validation will be needed if you need to provide an extra level of protection for your data or resources.  You may want the ability to step up authorization when a user needs to access more sensitive information.
• A flexible API is another core need – on that can be embedded into your existing applications to connect to common authentication, provisioning and authorization processes.
• You will want a licensing model that scales from a modest user base to one that is still affordable if you exceed your best expectations.
• And while many SSO platforms claim that you can easily entrust provisioning to another platform that they can connect to, that’s going to cost you more money to develop, to implement and to support. So you will want a platform that is capable of integrating all of your essential identity management tasks from the start.
• There is a lot of other technical stuff that you are going to want, like compatibility with all the major standards (SAML, WS-Fed, OAuth), password vaulting and reverse proxy for those legacy apps that can’t make a standard federated connection, but that still need to talk to your federated environment (because throwing out everything you own to pave way for new standards isn’t always practical).

There is a solution that provides all of the above: EmpowerID. 

EmpowerID is an integrated and modular platform, built on a single codebase and driven by workflow with prebuilt one-to-many SSO and Identity Management scenarios with the needs of consumers in mind. 

EmpowerID’s visual workflow designer and adaptive HTML5 interfaces offer a vastly improved and simplified approach to traditional SSO and IAM challenges.  It can be stood up in just a few days or weeks depending on the customization desired, instead of the months that other applications take. 

Most importantly, EmpowerID supports a satisfying access experience for consumers and drives strong ROI with its secure, seamless and flexible identity processes.