RBAC vs ABAC vs PBAC: A Practical Guide for Enterprises

Posted by Aditya Taneja on Mon, Aug 21, 2023

It is easy to see how the fragmentation of the modern IT landscape caused by the adoption of a Cloud-first model has increased the importance of a having well-managed authorization strategy and the complexity of achieving this goal. 

To help you choose the best access control model for your organization or application, we compare the most popular options, we'll also analyze and discuss the various attribute-based and role-based approaches for application authorization, including their applicability, strengths, and weaknesses: 

  • Role-Based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)
  • Policy-Based Access Control (PBAC)
  • Hybrid Role and Attribute-Compliant Access

A well-designed authorization system is essential for managing the day-to-day activities to control who has access to what and enable organizations to safely undergo a digital transformation moving more of their business online and into the Cloud.

Understanding the differences between different authorization models is critical for choosing an appropriate access control method for your organization or application. 

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a security and authorization model for securing access to computer
resources used by almost all enterprises to secure their systems. RBAC access is based on roles defined by the business using them. In the RBAC model, roles are created, and then sets of permissions for resources are assigned to the role. Users are then granted one or more roles to receive access to resources. 

rbac
Fig: RBAC PDP Flow Determining Access to Bob’s X-Ray for Alice

RBAC Benefits
In the RBAC model, since access is not directly assigned to users but bundled into assignments made to roles, the correct assumption is that controlling and maintaining access is easier. Moreover, because roles and access management can be centralized, it is evident who has a role and access to the role grants. There are fewer assignments to be managed, which decreases the cost of security management and compliance auditing. Furthermore, according to a 2010 NIST study, correct RBAC implementation and efficient provisioning can also reduce employee downtime resulting in significant ROI.

  • RBAC is deterministic. An RBAC approach makes it easy to know who has access to what at any moment in time.
  • RBAC is more direct and easier to visualize. Security admins can visualize the actors and resources they will affect when creating or modifying a policy.
  • RBAC is inherently auditable. With RBAC assignments, as the consequences of that access are visible, it is simple for business owners to certify or attest to access granted. This visibility contrasts with ABAC where a “before the fact audit" is impossible and the effects of a rule are difficult to ascertain.
  • RBAC can be simpler than ABAC. For example, with RBAC, bundles of access can be directly assigned to a user. To do this in ABAC requires the creation of a new rule.

RBAC Weaknesses

Unfortunately, the precise nature of the RBAC model can also be considered the source of many of its weaknesses:

  • RBAC requires advanced knowledge of the Subjects and Resources and, typically, does not support making on-the-fly contextual decisions.
  • An RBAC-only approach can result in an enormous number of roles to accomplish fine-grained authorization.
  • Resource owners must know something about the roles and their intended purpose to grant access to those roles accurately.
  • Resources must be organized into collections to facilitate delegation.
  • Probably the most well-known problem with RBAC is “role explosion.”  Organizations often end up with large numbers of roles to accommodate people performing the same job function within different geographical or functional areas within the company. Given a substantial number of roles and collections of resources, a correspondingly large number of delegations would need to be created and managed. 


ATTRIBUTE-BASED ACCESS CONTROL (ABAC)

Attribute-Based Access Control (ABAC): An access control method where the subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.

Splitter Copy 2

The policies that can be implemented in an ABAC model are limited only to the degree imposed by the computational language and the richness of the available attributes.

Splitter Copy 2

Essentially, the more decision data at your disposal at runtime, the more sophisticated your ABAC policies can be. 

ABAC relies on user attributes for authorization decisions. ABAC policies are rules that evaluate access based upon the following four sets of attributes:

  • Subject – the attributes concerning the person or actor being evaluated.
  • Resource – the attributes of the target or object being affected.
  • Action – describe the action to be performed on the Resource
  • Environment – includes attributes such as the time of the day, IP subnet, and others that do not relate to
    either the Subject or the Resource. 

abac

Fig: NIST SP 800-162 ABAC Definition

ABAC Benefits

The key advantage of ABAC is that it does not allow application developers to hardcode a static list of roles and oversimplify their authorization source code. Rather, ABAC forces them to centralize all authorization decisions and call out at runtime to decide based on the Subject, Resource, Action, and Environment request attributes. Another key benefit is ABAC’s sometimes simpler nature. This simplicity can make it easier to understand how a rule grants access to a resource when dealing with a small number of rules. In contrast, RBAC does seem foreign to many users, and, especially during the early phase of its adoption, the levels of abstraction can be challenging for an IT team.

One other added advantage of ABAC is its flexibility. With ABAC, as long as the necessary data is available, almost anything can be represented as a rule-based query. For example, a rule evaluated at runtime in a login session can use contextual information—even information passed in via SAML claims or JWT tokens. In contrast, when delivering the role membership for a user to the application, a standard RBAC engine would not evaluate this type of information.

Everything we cover in this blog can be explored further in our whitepaper “A Guide to Authorization”. You can find that whitepaper here: 

ABAC Primary Benefits

  • ABAC enforces centralized management of authorization policies
  • ABAC makes it easy to specify access rules as simple queries.
  • ABAC rules can be extraordinarily fine-grained and contextual.
  • ABAC rules can evaluate attributes of Subjects and Resources that are not inventoried by the authorization system.
  • ABAC rules need less maintenance and overhead because they do not require the creation or maintenance of the structure on which an RBAC model depends, e.g., roles and resource locations.

abac2


ABAC Weaknesses
The first challenge we encounter with implementing policies like this is the information needs to be obtained and evaluated at runtime. In our policy example, if we needed to know if the user’s nationality was Swiss, then this information would likely reside in either the corporate Active Directory or HR system. Moreover, if we needed to know if the company was in Emergency Mode or not, this essential information might be difficult to obtain in a live corporate environment. Likewise, if we needed to as certain their out-of-office status, this would reside in a corporate email system such as Microsoft 365. Furthermore, to attain information for network login sessions or the MFA status would require a query to an Identity Provider such as Ping Federate. 

abacchallanges

ABAC’s Primary Weaknesses

  • ABAC makes it extremely difficult to perform a “before the fact audit” and determine the permissions available to a specific user. To successfully determine access, not only might a considerable number of rules need to be executed, but they must also be done in the same order in which the system applies them. As a result, this could make it impossible to assess risk exposure for any given employee position.
  • In a comparable manner to how a “Role Explosion” can occur with RBAC, an explosion can also occur with ABAC where a system with N number of attributes would have 2N possible rule combinations.
  • Unless rules are kept extremely simple and do not access data from various source systems, ABAC systems with complex rules from multiple attribute sources can be unacceptably slow to answer authorization queries. 

RBAC Versus ABAC: Tradeoffs and Balance
As shown in Figure 28, the decision between ABAC and RBAC is a trade-off. On the one hand, you can have fast, simple, and other RBAC related benefits and, on the other, you can have extensible, scalable, and other ABAC-related advantages. To date, the challenge has been to find the right balance for your own organization’s needs. This is where Policy-Based Access Control (PBAC) helps. 

rbacabac

 

POLICY-BASED ACCESS CONTROL (PBAC)

Policy-Based Access Control (PBAC) is not a formally defined standard but rather describes an authorization model that combines RBAC and ABAC concepts and eliminates some of their shortcomings. The key concept behind PBAC is that policies are expressed as assignment relationships that can be visualized and manipulated graphically. Access rights to perform operations against resources or objects are acquired through relationships referred to as associations. This includes the ability to define complex hierarchical relationships with inheritance, which is overly cumbersome in ABAC. One might consider PBAC as “relational ABAC.” PBAC is best used for real time enforcement of authorization decisions where a well-developed role model can be leveraged for policy assignment.

PBAC policies are inherently more efficient than ABAC policies because authorization decisions are not based on multiple computed and then combined local decisions. Instead, they are based on the net result of multiple policies based on relationships existing within a single database. This aspect also allows PBAC to enforce dynamic Segregation of Duties (SOD) rules, which are not entirely achievable with ABAC. A last key feature mentioned is PBAC support for “before the fact audit,” which is the ability to see who has access to a resource at any time, and not just during the real-time evaluation of a policy set.

pbac

EMPOWERID’S HYBRID ROLE & ATTRIBUTE-COMPLIANT ACCESS APPROACH 

Defining and maintaining compliant access for a large organization can be a daunting task. Some types of applications and use cases are better suited to a more structured role-based approach, whereas others require real-time contextual decisions. RBAC, ABAC, and PBAC are three ways of managing authorization policies. Moreover, while both have overlapping qualities, individually, each one cannot cover all the necessary aspects of access control. However, for optimal, dynamic support of an IT organization’s needs, EmpowerID supports RBAC relational modeling. RBAC relational modeling provides the backbone or structure for defining an organization and its overall policies while leveraging the flexibility and real-time contextual nature of ABAC and PBAC to offer the best comprehensive solution. 



EmpowerID’s sophisticated role and relationship modeling allow security architects to model the organization and its structure and policies, including segregation of duties policies to prevent undesired combinations of access. As illustrated above, flexible attribute-based ABAC or PBAC policies support the centralized real-time decision point for applications that can call the EmpowerID API for authorization decisions. The ABAC/PBAC engine enhances or modifies the powerful RBAC engine's decisions, allowing their use only when greater flexibility or contextual information such as risk, location, and MFA type is required. By including the pre-calculated access results that the engine derives from complex RBAC policies that account for inheritance and even attribute-based queries, ABAC/PBAC policies are made much more potent. The end-goal of leveraging each approach's best is to deliver what EmpowerID calls “Compliant Access Delivery.” 

Splitter Copy 2

What is Compliant Access Delivery: Sign up for our Newsletter!

Splitter Copy 2

Conclusion

In summary, we learned that no single method covers all use cases and application technologies. The overall goal of Compliant Access Delivery requires using the best of each approach implemented following the principles of Zero Trust and Least Privilege. When executed correctly, this automates access assignments and reduces an organization’s attack surface, making it harder for attackers to find privileged credentials and offers them fewer capabilities to perform malicious activities when they compromise a privileged account. 

 

Bridge Your Security Gaps Today!

Tags: Active Directory, IAM, Virtual Directory, Access Governance, cloud security

How Enterprises can Bridge Security Gaps using Low-Code Platforms

Posted by Aditya Taneja on Fri, Aug 11, 2023

 

 

Bridge Your Security Gaps Today!

Tags: Active Directory, IAM, Virtual Directory, Access Governance, cloud security

MiMvsEmpowerIDArticle

Posted by Aditya Taneja on Wed, May 24, 2023

Microsoft Identity Manager (MIM) is a legacy identity management solution that has been around for a while. Organizations have been leveraging Microsoft Identity Manager (MIM) to centrally manage user identities, automate user provisioning and de-provisioning because of its relatively easy integration within the Microsoft Ecosystem. While it has served many organizations well, it lacks some of the essential features that modern identity management software offers.

Here are a few of the key features that MiM is missing compared to modern identity management solutions:

  1. Cloud-First Approach: 

    MIM was designed for on-premises environments, and while it can be extended to support cloud-based environments, it lacks the cloud-first approach that modern identity management solutions offer. This can make it challenging to manage hybrid environments or to take full advantage of the cloud's scalability and flexibility.
  2. Flexible Identity Models: 

    MIM relies heavily on the Active Directory schema, which can limit its flexibility when it comes to managing non-AD identities such as contractors, partners, and customers. Modern identity management solutions offer more flexible identity models that can accommodate a wider range of identity types and sources.
  3. Self-Service Provisioning:

    MiM requires significant manual intervention for account provisioning and access request workflows. Modern identity management solutions offer self-service capabilities that enable users to request and manage their own access, reducing the administrative burden on IT staff.
  4. Access Governance: 

    MiM offers basic access control functionality but lacks the more advanced access governance features found in modern identity management solutions. This includes capabilities such as entitlement cataloging, risk-based access certification, and access analytics.
  5. User Experience:

    MIM's user interface is complex and challenging to use, MiM’s frustrating User Interface is a common gripe amongst all its customers. Modern identity management solutions offer streamlined user experiences that are more intuitive and user-friendly, reducing the learning curve and improving user adoption.

EmpowerIDvsMiMs

In summary, while MIM has been a reliable identity management solution for many organizations, it lacks some of the essential features that modern identity management solutions offer. If you're looking for a more flexible, scalable, and user-friendly identity management solution, it's time to consider upgrading to a modern identity management platform such as EmpowerID.

EmpowerID is a next-generation identity and access management platform that provides unparalleled flexibility and scalability. With EmpowerID, you can easily manage identities, applications, and resources across your entire organization, regardless of size or complexity.

Here are just a few reasons why you should consider moving to EmpowerID:

  1. Greater Flexibility: EmpowerID offers a highly configurable platform that can be customized to fit your organization's unique needs. With our flexible architecture and robust API, you can easily integrate EmpowerID with your existing systems and workflows.
  2. Improved Security: EmpowerID provides comprehensive security features, including multi-factor authentication, role-based access control, and privileged access management. With EmpowerID, you can ensure that your organization's sensitive data and resources are protected from unauthorized access.
  3. Simplified Administration and Self-Service: EmpowerID's intuitive user interface and streamlined workflows make it easy for administrators to manage user accounts, access requests, and other identity-related tasks. With EmpowerID, you can reduce the administrative burden on your IT team and improve overall efficiency.
  4. Better User Experience: EmpowerID offers a seamless user experience, with a single sign-on portal that provides easy access to all of your organization's applications and resources. With EmpowerID, your users can enjoy a streamlined, hassle-free experience that improves productivity and reduces frustration.

So if you're looking for a powerful, flexible, and easy-to-use identity management solution, look no further than EmpowerID. Contact us today to learn more about how EmpowerID can help you take control of your organization's identity and access management needs.

Upgrade from Microsoft Identity Manager Today!

Tags: Active Directory, authentication, IAM, Access Governance, 2-Factor, authorization, Azure security

Say Goodbye to ActiveRoles - Upgrade Your Identity Management with EmpowerID

Posted by Aditya Taneja on Wed, Apr 05, 2023

If you are an ActiveRoles user, you know the value of a powerful and flexible Active Directory management solution. But as IT environments become more complex and diverse, managing identities and access across multiple systems and platforms requires a more comprehensive approach.

A modern Identity Governance solution provides more diverse features that understand the growing complexities of modern IT environments enabling deeper use cases than what you'd be limited by Quest Active Roles. While it provides many useful features for managing AD, it has quite a few limitations compared to other AD and identity governance platforms.

One of the biggest game-breakers with Active Roles is that it offers very limited functionality for Cloud users. While in theory, Quest can manage cloud users, but only to an extremely limited extent. The tool allows you to create and provision an AD user to a cloud system. However, the cloud system objects aren't inventoried and managed in the user interface, and you always need to have an AD user as your starting point for management.

This limitation can be problematic for organizations that rely heavily on cloud-based systems, as it creates an additional layer of complexity that may not be necessary. Without proper inventory and management of cloud-based users, organizations may struggle to maintain security and compliance standards.

EmpowerIDvsQuestActiveRoles-1

Aside from this, here's a list of a few more of these limitations for Quest ActiveRoles:
  1. Restrictive reporting and analytics capabilities:

    Quest ActiveRoles provides limited reporting and analytics capabilities, limited to just Users and Groups, as compared to other IGA Platforms that can provide in-depth and comprehensive analytics on every single AD Attribute. This severely limits you from getting a complete picture of your identity and access management activities.

  2. Neglible support for non-Microsoft platforms:

    Quest Active Roles is designed to work only with Microsoft Active Directory environments and does not support other directory services. This can be a significant limitation for your organization if you use a mix of different platforms, such as Unix or Linux. 

  3. Limited integration with other Systems and IAM solutions:

    Quest ActiveRoles does not integrate well with other IAM solutions, making it difficult for organizations to implement a comprehensive identity governance program. Active Roles also is limited to just being able to manage only your Active Directory, providing no way to manage users on other Systems and Applications. 

  4. Finite automation capabilities:

    Quest ActiveRoles does not provide extensive automation capabilities, which can make it difficult for organizations to automate repetitive tasks and workflows. Users will have to rely on writing scripting to complete tasks, which, when managing directories with millions of groups, objects, and users, can make even small tasks take exponentially longer and more expensive.

  5. Lacking Cloud readiness:

    ActiveRoles Server was designed to work with on-premises Active Directory environments, which is not ideal for organizations that are moving to the cloud or adopting hybrid environments. A modern Identity Management solution offers better cloud-ready features, such as support for multi-cloud environments and identity as a service (IDaaS) capabilities, reported missing in Quest ActiveRoles. 

  6. Lacking essential Identity features:

    ActiveRoles Server lacks advanced features like identity governance, access certification, risk-based access control, and identity analytics that are essential for modern organizations to manage identity and access in complex environments. Self Service features such as Access Requests and Password Resets are shown to have saved organizations millions of dollars in helpdesk costs and are seen as a must for any good IGA platform.

EmpowerID offers a modern, web-based solution that goes beyond Active Directory management to provide full Identity Governance and Administration, Access Management, and Privileged Access Management capabilities. With EmpowerID, you can manage identities and access across on-premises and cloud-based systems, applications, and platforms, including Microsoft Azure, SAP, Oracle, and more.

EmpowerID's True Zero Trust administration for Azure and other platforms allows for fine-grained access controls and risk management, and its low-code identity orchestration engine allows for easy automation of complex business processes. EmpowerID's powerful RBAC and PBAC hybrid authorization engine provides efficient and flexible administration and runtime policy enforcement.

Not only does EmpowerID offer advanced capabilities beyond Active Roles, but it also offers the convenience and scalability of a modern SaaS platform. EmpowerID's modular licensing allows you to add or remove features as your needs change easily, and its cloud-based deployment means you can manage your identities and access from anywhere.

Don't settle for less with ActiveRoles - Make the switch to EmpowerID and experience the power and flexibility of a modern, web-based Identity Governance and Administration solution that goes beyond Active Directory management.

If you'd like to read more about Cloud Ready Identity Governance Platforms, we'd recommend our Whitepapers on these subjects: Siemens Case Study, Cloud Infrastructure Entitlement Management (CIEM) Report

 

Upgrade from ActiveRoles Today!

 

Tags: Active Directory, IAM, Virtual Directory, Access Governance, cloud security

AWS & Azure the new access management silos, says Patrick Parker @ EIC 2015

Posted by Chris Hayes on Wed, May 06, 2015

20150505 171359

“Organizations need to have the tools to manage these new access silos,” he told the opening session of the 2015 European Identity & Cloud (EIC) conference taking place in Munich.

During his Keynote discussion on day 1 Patrick identified the many limitations when managing new access silos in AWS and Azure.  

During day 2 Patrick discussed the role of IAM in hack prevention highlighting the recent Sony Pictures hack.

DSC 0016 resized 600

If you're around on the 7th you can catch his IAM best practices discussion from 12:00-13:00 PM or stop by for a discussion or deep dive demo to see what makes empowerID the best IAM Suite in the market today.  For those unable to attend in person empowerID will be sharing the presentations in the near future.

 

Request a Demo

Tags: Active Directory, IAM, Attestation, Identity and Access Management (IAM), Access Governance

Adaptive 2-Factor Authentication for Citrix Netscaler

Posted by Chris Hayes on Thu, Apr 30, 2015

2-Factor for Citrix via empowerID

What is Adaptive authentication? By definition something adaptive should have a capacity or tendency toward adaptation when faced with different scenarios. empowerID has taken this concept and applied it to our class leading Radius service for Citrix and other "edge devices" like Cisco, Juniper, Palo Alto, F5 and more.

Having managed many Citrix NetScaler strong authentication projects myself I understand the challenges faced when enabling 2-factor authentication with NetScaler products.

Common questions that you should ask yourself when undertaking a project like this are.
  • What methods does the authentication support?
  • Can I migrate users by groups in the back end rather than cut everyone over at the same time?
  • What kind of logging and reporting is available?
  • How scalable is the solution?
  • How are the configurations stored?
So we know some of the questions you need to be aware of, let's walk through an empowerID workflow for Citrix NetScaler below.

 

Adaptive Auth for Citrix

  1. Multiple users go to login to the NetScaler
  2. The NetScaler takes in a username and password
  3. This information is passed to empowerID's Radius endpoint
  4. empowerID looks at the group membership of the user
  5. One user will go through 2-factor authentication
  6. One user will go through Single Factor authentication
  7. Both users will be presented with the same information after authentication
This truly adaptive model means you can migrate some your users to 2-factor authentication while keeping some at single factor authentication.

So let's get back to a few key points:
  1. What methods does the authentication support?
  • Can I migrate users by groups in the back end rather than cut everyone over at the same time?
    • Fully supported, keep everyone going to the SAML login page and empowerID will determine if the user needs 2-factor or single factor authentication.
  • What kind of logging and reporting is available?
    • empowerID's audit and reporting engine leads the pack when it comes to real time reporting and auditing.  While other products can't push reports up to a central audit point empowerID doesn't have the same limitations.  Built from the ground up to scale you can log into one place and review all audit reports.
  • How scalable is the solution?
  • How are the configurations stored?
    • empowerID configurations are stored in a database, the way it should be done.  Not in flat web.config or .conf files, these aren't methods that scale.

    Ready to learn more?

     Request a Demo

    Tags: Active Directory, IAM, Identity Management, SAML, Citrix, Palo Alto, Identity and Access Management (IAM), Radius, 2-Factor, Cisco

    Innovation and Productivity Gains From Identity and Access Management

    Posted by Bradford Mandell on Tue, Jul 15, 2014

    IAM Innovation

     

    Security for identities.  Managing user access to applications.  Auditing user access.

    “Ugh”, you might think, “That sounds like more cost, more time, and more responsibility for IT”.

    But a platform approach to Identity and Access Management (IAM) that is rich in innovation can result in lower costs, better productivity, and reduced demands for IT resources, while providing managers with better and more timely information.

    Take for example a home healthcare provider with $2 billion in revenue and 40,000 employees in 40 states facing constant pressure to reduce costs as a result of declining government reimbursements for their services.  This organization had already used their considerable size advantage to create efficiencies and reduce costs wherever possible.  Then their Chief Security Officer (CSO) conducted a review of IAM technology and presented his management with a plan that would improve the productivity of their employees, reduce the workload on IT, improve the security for patient data and assist their organization in continuing to be a leader in the quality of patient services.

    Built from a series of acquisitions in an industry that experiences high turnover, this organization lacked an efficient process for provisioning home healthcare workers into the many web applications they need to perform their work.  The process began with HR creating a manual request for IT to provision a new user into the apps they require, and once this was completed, the new user had to register themselves and create a password in each application. This process was complex and required too much effort for the home healthcare employees to learn and to maintain.

    The CSO’s experience with several of the oldest and most installed IAM platforms made him wary of starting a new project with one of them because of their high licensing costs and the difficulty in customizing them to meet an enterprise’s specific needs.  He wanted a solution that would be easier to implement and easier to mantain.

    After evaluating multiple products, he chose the EmpowerID platform for its different and innovative approach to Identity and Access Management.  Built on a single codebase with a workflow core and shipping with hundreds of ready to deploy workflows, the CSO was impressed with EmpowerID's broad functionality and its ability to easily design and to automate complex IAM processes with its visual Workflow Designer. 

    The CSO determined during a software trial that EmpowerID’s powerful Role-Based Access Control (RBAC) engine could create effective roles based on both an employee’s place in the organizational hierarchy and their location, and it could scale easily for the size of their staff. EmpowerID proved itself to be flexible in also offering Attribute-Based Access Control (ABAC) for their scenarios where the use of contextual policies to govern access is more appropriate. 

    He also discovered that EmpowerID’s integrated Single Sign-On (SSO) module federates not only with more recent web applications that natively support SAML authentication, but also with legacy applications that lack SAML capabilities.  Thus he could accommodate all of his user scenarios end to end, from provisioning to access, using EmpowerID, rather than having to integrate two or more applications. 

    The CSO concluded that EmpowerID’s “all in one” approach could create the solution they needed in a shorter timeframe with fewer professional services and less risk to their project timeline and budget. The ability to show his management faster ROI helped him to obtain funding for the project. 

    EmpowerID’s User, Group and SSO Manager modules were then deployed to provision and to manage federated identity for the application portal, allowing new users to be added within hours, instead of days, and enabling the use of one login by a healthcare provider to access all of their applications. 

    New user onboarding was further simplified by creating a feed from the organization’s PeopleSoft HR application to EmpowerID, which in turn creates all the user accounts and access privileges in the applications they need, based on their business role. New users require less training and are ready to go to work as soon as they claim their identity upon first logging into the application portal.

    The home healthcare staff appreciate EmpowerID's friendly HTML5 user interfaces that adapt to the screen size of any device they use, whether a tablet or a smartphone, and the reduction in effort to get to their clinical applications, while patients are pleased that less time is consumed by administrative tasks during their scheduled visits. 

    EmpowerID’s multi-factor authentication capability (using an OATH token and SMS one time password) was implemented to strengthen system access security and to better protect the privacy of patient data, which is important in meeting regulatory and audit requirements.

    EmpowerID also assists the organization’s auditors with data governance – the discipline of ensuring that access to corporate and patient data is secure and is subject to the proper controls. EmpowerID not only improves the quality of data, is also supports configurable Separation of Duties (SOD) policies, attestation procedures and system dashboards for quick visibility of pending tasks and system statistics. EmpowerID provides dozens of reports out of the box and it supports Microsoft’s SQL Reporting Services to quickly provide the information that different users need.

    As a result of successfully automating their new user provisioning process and providing a seamless single-sign on experience for its home healthcare staff, this organization is realizing substantial productivity savings that will pay for EmpowerID in a period of just eighteen to twenty-four months. 

    The CSO’s vision for a single, flexible platform that could be implemented on-time and within budget to automate and to securely manage multiple aspects of the enterprise, creating new efficiencies and cost-savings, has been fully realized with EmpowerID's deployment.

    Ranked by KuppingerCole as a Product Leader, Innovation Leader and Overall Leader in their recent Leadership Compass for Identity Provisioning, EmpowerID helps diverse organizations across the globe improve identity security and access governance, increase productivity, lower costs, and improve service delivery through its innovative and cost-effective approach to IAM. 

     

    Learn More about IAM Cost Savings with EmpowerID

    Tags: Single Sign-on (SSO), Active Directory, GRC, Group Management, Governance and Regulatory Compliance, Identity Management, User provisioning, Data Governance, Attestation, Separation of Duties, Password management, Identity and Access Management (IAM), Access Governance

    Active Directory synchronization from multiple sources

    Posted by Edward Killeen on Wed, Nov 20, 2013

    Active Directory has to be accurate.  It is too important to security, productivity and your sanity to let its identity data be wrong.  Users need AD to log on to the network, applications need AD to resolve permissions, and everyone needs groups for email.

    active directory synchronizationThe problem is that all of that identity information that you need to synchronize with Active Directory is in different places.  The old days of writing a script to copy department code from your HRIS is gone; between network complexity and the cloud, you need a more powerful flexible identity synchronization solution.

    EmpowerID employs a metadirectory to create a hub and spoke approach to identity and Active Directory synchronization.  The metadirectory becomes the full authoritative source for all identity information, using flexible attribute synchronization rules to move identity data from all sources to this central identity store.

    From the metadirectory, you can then take all of the identity information for the user and synchronize it to Active Directory, then dynamically generating groups and roles for the user.  The attribute flow can be bi-directional, uni-directional, across forest and domain boundaries, to and from cloud applications.  The sky is the limit.

    One of the big tricks is then managing data outside of ADUC.  EmpowerID not only has this powerful synchronization engine, but also provides AD self service with very flexible approval workflow capabilities.  The user can change their mobile phone number but will need manager approval to update their title, or IT approval to join the domain admin group.  Using EmpowerID's unique Rights Based Approval Routing (RBAR) technology, these approval workflows can be configured exceptionally easily and quickly.

    Your network both on premise and cloud based has gotten big and complex but keeping AD accurate is simple with EmpowerID's combination of AD synchronization and AD self service.  Learn more about how to keep Active Directory accurate with a personalized demo or download this whitepaper.

    Download whitepaper Active Directory Management

    Tags: Active Directory

    Self Service Identity Management

    Posted by Edward Killeen on Thu, Nov 07, 2013

    How about a trick question?  What is your most authoritative source for identity information?  It's not that tricky....your HRIS.  But your actual users are an awfully close second.  They know themselves and if you give them a self service portal, they can make your life easier.

    self service identity managementThe real trick is what you allow them to update via self service.  Most shops allow some limited Active Directory self service.  But there is so much more that you can open up with a well designed self service identity management system...as long as you put controls, approvals and lifecycle into effect.

    EmpowerID's HTML5 interface gives users a clean view into any application or identity store via a single interface from any device.  Attributes, group and role memberships, and permissions for any identity store / application can be managed via the metadirectory with updates either pushed directly to the application or synchronized on a scheduled basis.

    Any field can be hidden, read-only, or editable based on the user's role(s).  Approval workflows are managed via EmpowerID's unique RBAR architecture (Rights Based Approval Routing), allowing you to easily manage who can and cannot make and approve changes.  Lifecycle can be applied to any object or membership, allowing you to have full identity lifecycle and temporary privileged access.

    But the most important factor is what your users have access to self-serve.  Where most solutions stop at Active Directory, EmpowerID just starts there.  If a user needs to change their home phone number, that information needs to filter to AD for the GAL, HR for contact information, the emergency notification system, and to benefits databases.  Important information like this should not be left to scripts written by some contractor who won't work there in 3 months.

    There are other glaring examples around group memberships which affect other systems.  Dynamic group memberships that are driven off of identity information.  Office locations that determine parking privileges.  Mobile phone numbers for second factor authentication and device registration.

    Think of all of the things your users know about themselves that you cannot find out.  That is your list of attributes and systems that you allow self service for.  Think of everyplace that those attributes need to be synchronized.  That is your list of applications, databases and directories that you need to connect to.  Think of everyone who can actually approve those changes, that is your RBAR structure.

    Allowing self service for identity management does not replace the connectors, synchronization and metadirectory.  It complements it and makes a more thorough identity management solution.

    Identity management self service demo

    Tags: Active Directory, Identity and Access Management (IAM)

    Active Directory management without ADUC

    Posted by Edward Killeen on Tue, Oct 29, 2013

    active directory management without ADUCActive Directory is a bear to manage through ADUC.  It is clumsy and all-encompassing and the ability to manage granulary is exceptionally complex.  Delegating and instituting fine grained permissions requires deep and arcane knowledge of Active Directory.  In short, Active Directory management is difficult with ADUC and it doesn't have to be that way.

    EmpowerID is a full IAM suite that has the ability to specifically manage Active Directory exactly the way you need, either through delegation or automation.  The actual changes are made in the EmpowerID metadirectory with a very well established and powerful connector to Active Directory.  So, you manage with EmpowerID's RBAC structure and then send those changes to AD.

    One benefit of this structure is that you can manage multiple domains and forests from a single instance of EmpowerID.  Your helpdesk in Forest A can manage users in Forest B.  GAL synch is a breeze.

    Another advantage is the full auditing controls of EmpowerID.  The ability to institute attestation and lifecycle on any AD object.  Full reporting and audit grids are available for business users and auditors.  Separation of duties can be applied from groups, OUs, roles and managed even cross forest if necessary.

    Self service Active Directory management can be rolled out based on the user's roles, giving everybody the exact access to change identity attributes or group memberships that their roles allow.  Approval workflows are easy to configure using EmpowerID's proprietary Rights Based Approval Routing (RBAR).

    Dynamic memberships in roles and groups are managed easily and efficiently in EmpowerID.  Group membership is always up to date with the ability to read identity attributes not only from Active Directory but any other identity store.

    Everything can have a lifecycle, giving a 360 degree view of attestation and the ability to certify and approve lifecycle attestation from within emails.  Delegation and auditing of attestation should be a given.

    Break glass permission workflows are available for temporary privileged access.  So, if an admin needs emergency access to a server, they can run the workflow, be granted temporary access, and have that access completely auditable and reported to the CISO.

    If changes are made natively in ADUC, you can have a workflow to roll them back, report on those native changes, or send them for further approval.  Most importantly, with EmpowerID, you can completely shut off native ADUC access.  Many of our customers do this, having all changes made from within EmpowerID.

    Active Directory management can be a lot better than ADUC will ever allow.  Read our whitepaper on replacing ADUC and improve your AD management with fewer resources.

    Download whitepaper Active Directory Management

    Tags: Active Directory