All-In-One Identity Management and Cloud Security

Not all applications are created equal.  Not all users are created equal.  Different users need access to different applications; different users need different access to these applications.  We call this role based provisioning.  Based on a user's role they get access to the appropriate applications.  Again, based on their role, they get differing level of permissions within those applications.

The interesting part is that you also have on premise and cloud applications to provision.  It's not enough just to create an AD & Exchange account and let the application owners handle the rest.  Not in a true identity management system, one where you are managing roles and permissions centrally and dynamically.

Centrally, you have a role repository and metadirectory.  To correctly provision all of these users to these disparate applications, you need connectors to all your applications.  Building these connectors based on APIs allows you to map any roles and attributes from your central identity store. 

It doesn't matter if this is an on-premise or cloud application, the principle is exactly the same.  Your "person" identity in the metadirectory "joins" all of your accounts.  If your role says that you should have an account in the application, the connector creates the account and then inventories any changes that affect it going forward.

If your user changes jobs, automated provisioning means that their applications and permissions within those applications change.  Moving from Finance to Sales?  Your accounting software application account is deprovisioned and your Salesforce.com account is provisioned.  Role based provisioning lifecycle!  There isn't even an acronym for that it's so cool.

This is what identity and access management is about, giving the right users the right access to the right resources at the right time.  Automated provisioning really is this powerful and possible.  Let us take you on a tour of EmpowerID to show you what it can do.

I have often said that to see EmpowerID is to love EmpowerID.  The reason is that when clients are looking for Identity & Access Management (IAM) solutions they fall in love with the idea of a complete IAM platform, one built from scratch on a single codebase that allows for seamless integration of user provisioning and management, access governance, federation, and audit intelligence.

Having these pieces together and interoperable gives the ability to integrate workflows that marry authentication and authorization in one place.  When provisioning a user account, you can create application accounts based on their role.  You can force a second level authentication if a certain role is accessing a certain application.  Separation of duties can be applied across multiple applications.

These actions aren't possible if your SSO solution is distinct from your provisioning solution which is different from your RBAC solution which is different from your audit solution.  Even when purchased from a single vendor, these are often "frankenproducts" built from various acquisitions and mergers.  If you don't have a single platform, you might as well have five or more.

EmpowerID puts all of these IAM capabilities in one platform.  That is what allows you to check the user's role when authenticating; to create a workflow that does identity proofing when accessing secure resources; to offer attestation for group and role membership or application access.  In short, to make identity management unobtrusive for a better user experience.

We had a call today with a gentleman who needed to provide access to twelve different web applications.  His choice with other vendors was to have federated SSO with the applications or have an RBAC solution.  With EmpowerID, he realized that he'd be able to have the two married AND add the user provisioning to all 12 applications based on the role of the user.  A complete platform for his IAM needs.

Schedule a demo, take a tour, and fall in love with a complete IAM solution.

Identity information is stored in directories; so it would stand to reason that directory synchronization is the key to identity and access management (IAM).  But that igores the Access in IAM.  Shuttling identity attributes between directories, databases and applications helps but isn't full Identity and Access Management.

Of course, directory synchronization is a great place to start.  You want your access to be granted dynamically based on who and what your user is.  An HR manager in Topeka needs a different set of access than a sales director on the Skynet account.  In fact, those two users need to be synchronized to a completely different set of directories; this is handled with role based provisioning, where only that particular role gets a user account and access in that directory/application.

EmpowerID puts a metadirectory in the middle of your identity ecosystem that will create "person accounts".  Each "person" will have joined user accounts in every system, database or directory.  If they are supposed to have an account in any application based on their role, they will be provisioned.  Once provisioned, attribute flow rules are defined to make either side authoritative or last change wins.  Constant inventorying of directories keeps them synchronized.

All of this constant change is sort of the engine for the rest of IAM.  Your directory changes are reflections of your user changes.  The person directory knows that you got promoted, knows that you changed phone numbers or have a new account.  This drives your dynamic role assignments that provision new user accounts, give an elevated level of access in salesforce.com or grant you admin rights in SharePoint.

The directory synchronization drives your identity...your rights, your permissions, your accounts.  You have to have this capability but you cannot let this capability be your only method of managing identities.

In the past, I have seen some of the largest organizations in the world get overwhelmed just keeping their directories accurate.  This back and forth and constant change (up to 20% internal turnover on top of 5% external turnover) takes too much time to have a chance of keeping on top of the finer more intricate IAM tasks.

But it doesn't have to be that hard.  Take a look at that graphic above, it's that simple.  Rules can be inserted to transform or edit values (one directory has first and last in one attribute, while AD has it separate for example).  Getting the correct attributes flowing throughout the organization is the fastest and simplest part of EmpowerID.

Once you are there, a corporate metadirectory becomes immensely valuable in identity management.

I often think of Gartner's quote on identity and access management: "the right people have access to the right systems at the right time" and think how do you know if they are the right people or the right systems or the right access?  We work with organizations with hundreds of thousands of users, does Bob in IT know all of them?

I'm being facetious of course, there's nobody in IT named Bob usually.  But that's where your identity and access management platform comes in.  It is busy giving people access to systems and you need to make sure that you are inserting the "right" into that sentence & process.

Having trusted authoritative sources really helps.  If you know that HR and other systems know all of the employees, contractors, partners and customers, you can usually cover the "right person" aspect of all of this.  But, that isn't always the case, so you have your first attestation option right there to solve the "right people" issue.

There will be a departmental owner or manager or HR person who can attest periodically that that user is still an active employee.  Build a workflow where somebody has to approve the continuing existence of that user account.  Not just a network account, but application accounts too.  Think of the savings if you periodically have users attest that they still need that cloud application account for which you are paying a monthly fee.

If the account hasn't been used or accessed for a certain period (say, 90 days), bump up the attestation.  It's easy to build this into a BPM-based identity workflow.  Make more secure application accounts have a higher degree of attestation involving identity proofing or two factor authentication.

So, with that user attestation process you solve the right systems and the right people but what about the right access?  Roles and group attestation helps solve this.  Have the role or group owner attest to the membership of the group and the group's rights and permissions on a quarterly or yearly basis.  Give them the audit reports to show what that role or group can do and who has been doing it.

This should all be built in to the identity workflows that come with your IAM platform, if not, take a look at EmpowerID.  Dont' just give access to people, give the right access to the right people.

End users know their stuff.  I know this isn't a common refrain in IT but if you're talking about the users themselves when saying "their stuff" then there is no dispute.  So for some identity information, you actually need the user.  And to offer identity management self service.

The most obvious and important identity store to consider is Active Directory.  There is a lot of identity information within there to delegate: mobile phone, home address, and other personal information.  This is the sort of identity information your company needs and can only be provided by the users themselves.  In fact, once they enter it via your self service interface, take advantage of this and flow the information back to the HR system.

The items above you can usually trust your end users to provide.  There are a few items where you want to have control, put some sort of approval workflow on it.  Take for example, business phone, maybe you aren't flowing this from your telecom database and want your end user to update it but want the telecom guys to approve it, shoot a workflow request to them before committing it to AD.  I can't stress this enough, self service liberates IT but you need to have controls in place.

AD groups are a common delegated item.  End users should be able to join and leave groups but not all of them.  Using rights based approval routing, you can set specific groups to require group owner or admin approval before joining.  In fact, some groups should be completely off limits to self service (think financial reporting).

But Active Directory isn't the only identity store in your organization.  The benefit to a full Identity and Access Management platform is that you aren't limited to just AD.  By having a metadirectory in the middle of everything, you can create self service forms to the metadirectory or directly to any connected application. 

A great example is when you need to apply for a specific role in salesforce or your jive community.  Having a self service option allows you to apply for the role, enforce an approval workflow and using the IAM workflows, set a time limit on the access (temporary privileged access).  As you can see, self service is not limited to Active Directory at all but it can be in the exact same self service interface.

Of course, don't forget that self service identity management has to be part of an identity ecosystem.  Any attributes, roles or information that your users provide through self service should flow back into your identity stores and any appropriate applications.

Let us take you on a tour of how you can make this identity ecosystem more diverse and robust through self service.  With control.

Highly privileged accounts can cause a lot of damage and do a lot of good.  There is a tricky balancing act between having IT users with too much privilege and not enough.  On one hand, do their job and on the other, perform mischief (such as accidentally delete an OU which is a real example).

I have seen extremes from one out of business retailer who let every user have access to Active Directory Users & Computers (ADUC) to minimize help desk calls to a very successful international bank who has pretty much shut down ADUC in favor of a granular rights based self service delegation through empowerID.

That second use case is the one I want to talk about.  Not just for ADUC but for all resources that you want to control access through RBAC (role based access control) or ABAC (attribute based access control).  One of my go-to sayings is: "what you can't automate, delegate."

Let's start with Active Directory.  IT needs to create accounts, groups, computers and other objects in AD.  The problem with AD and ADUC is that one size fits all.  The same user who can create a group can also create a user or delete an OU.  You have to shut that thing down. 

With a delegated Active Directory self service system, you can have specific roles have access to create, modify or delete only certain AD objects.  You can get granular enough that a user can even manage their direct reports or only certain attributes in their own profile.  And, you can put workflow approvals on any changes made depending on who made the request (rights based approval routing).

What about users wanting to join groups?  Same thing, create a form for users to request access to a group and send it through appropriate approvals.  Depending on the group or user requesting access, maybe even auto-approve it. 

Why even stop there?  Most users are joining groups to have access to a file or folder.  Use a self service page to request access to that resource and have empowerID map what group that user needs to be in.

But that's not the key here.  The key is that when privileged access to a role or group is requested, don't just give it for an eternity.  Temporary privileged access keeps that user from having permanent access to the role or resource.  Put a time limit on the user's privileged access.  Limit the exposure.

Other useful tools is to require multi-factor authentication (MFA) when the user attempts to use the access.  Before you allow it, require them to authenticate with an SMS text to a known device or identity proofing with something that only they will know.

The idea is that privileged access is needed for many users to do their job.  But give them this access only when they need it.  If they have it permanently, ensure it is really them by utilizing MFA upon usage.  Try to shut down any systems with all or nothing access and create an identity policy and system that gives users another more secure route to access.

And, lastly, track this stuff.  If you know when and for how long a user had privileged access and what user or policy granted this access, you have the audit trail to prove that you are keeping your corporate valuables safe and secure.

Take a look at our whitepaper on replacing ADUC and/or request a demonstration on how to reduce privileged access in your environment.

Getting a user provisioned and productive on your network is one thing, getting their cloud accounts sorted is a whole other ball of wax.  In the old days, you had Active Directory, Exchange, some line of business applications and ERP this and that.  Presto, boomo, you had a provisioned user.

Now if you want to automate the user account provisioning process, you need to account for any cloud applications the user has.  These cloud applications have different UIs, are owned by different lines of business and generally add a wrinkle to your identity and access management that you just don't need.

But it's the world we live in and we have to somehow manage cloud identities with our internal identities.  The three main things to worry about are: 1) provisioning / deprovisioning, 2) role based access control, and 3) federated single sign on.

Automating provisioning and deprovisioniong is the first and most important step.  You pay for these accounts monthly per user so if someone has left the company, you want that account gone immediately.  An IAM platform like empowerID will have connectors to all of your major cloud applications like Salesforce, Google apps or Hubspot.  For those without an out of the box connector, building one with the applications APIs is pretty easy. 

Unless your IAM solution can do role based provisioning, your user will always have this account though.  Remember that provisioning isn't a one time affair, it is a lifecycle for the user, make sure that your automated provisioning workflow (and deprovisioning) takes into account the user's role or attributes and deprovision the account if their role is no longer eligible for the application.

But provisioning these accounts is pointless if you still have to go into the application and manage the user manually.  Application level role based access control (RBAC) is built into most applications.  Most IAM platforms have enterprise level RBAC.  Role mapping is essential for cloud applications, map the enterprise roles to the application role during provisioning and as your user moves around the organization.  An example is Salesforce, if your user is promoted from sales executive to sales director, their enterprise role will change; a good IAM platform will then change their cloud application role along with it.

Last, but not least, is the federated single sign on.  Your users have increased their number of application passwords exponentially (that is a bit of an exaggeration), make sure that you are federating with your cloud applicaitons.  SAML and other standards have made this easy if your IAM platform supports it.  We have a whitepaper on the Top 5 Federated single sign on scenarios, take a look and see what matches your needs.

IT departments spent the better part of the last decade figuring out corporate identities.  Most IAM vendors built their "platforms" before the cloud became so prevalent.  EmpowerID was conceived and built from 2008 onwards with the cloud in mind the entire time.  It is a platform based on a single code base that allows you to manage the provisioning and deprovisioning of cloud accounts, their roles and access, and federation all within a single IAM platform.  You do the work once for all identities, whether it's internal or cloudy.

A demo of this complete ecosystem for your users' identities will show you how simple this can be to manage. 

Role based authentication is not RBAC.  RBAC determines what resource or application you can access based on your role while role based authentication determines how you will need to authenticate to access that resource or application.  In the way EmpowerID performs this function, it is more akin to adaptive authentication.

There is a key difference.  In adaptive authentication, EmpowerID determines your authentication method based on the security level of the resource or application.  For example, to access the main intranet page, you only need to authenticate with your username and password.  To access the employee benefits portal, you may need to authenticate with username and password but also add identity proofing (answer something only you will know).  To access the financials, you will need to perform multi-factor authentication such as enter a PIN that EmpowerID sends to a mobile device that you have registered.  Again, adaptive authentication is all about the security level of the resource or application you are accessing.

Role based authentication is all about you.  Who you are and what your role is determines the levels of authentication you will need to perform.  Back to examples, every employee role needs to enter username and password when authenticating.  Privileged roles such as domain admin or CFO might need to add additional authentication methods such as identity proofing or multi-factor authentication.  Any user who is a member of a role such as "on probation" might need to use multi-factor authentication with a company provided cell phone; using this method, the fastest way to deprovision their access is take away the cell phone, then go and deprovision their user accounts.

But neither of these methods exist in a vacuum.  The best practice would be to manage authorization with a hybrid of role based authentication and adaptive authentication.  Set the security levels on each resource and application and assign roles to each user.  Then develop the authentication workflow where it checks for combinations of role and resource security level to determine what additional levels of authentication are required.  It sounds complicated, but it is pretty simple if you know what resources need the best protection.

I have spent a lot of time lately thinking about passwords and how inherently insecure (unsecure?) they are.  Between users' laziness and apathy towards security and the ease which hackers can break your encryption hashes, a password just isn't enough to secure your most important resources.  Multi factor authentication, whether it is texting a one time PIN or smart cards or tokens, solves this security flaw. 

But at what price to the users?  You will have a rebellion of angry users if you require this extra level of security every time a user logs in.  But with careful implementation of a hybrid role based authentication and adaptive authentication methods, users will only have the extra steps when accessing important sensitive information.  And anyone can understand the need for that.

Let us show you how to accomplish this extra level of security without the onerous burden on your users.

Now you've done it, you have decided to look into an Identity & Access Management (IAM) solution.  There aren't a lot of these IAM solutions out there so it's pretty easy to narrow down the list of IAM vendors.  But, now you have to think, what am I looking for?  What am I trying to solve?

Gartner says that, "IAM ensures the right people get the right access to the right resources at the right time, enabling the right business outcomes."  I trust Gartner so you want to be sure that your IAM solution is doing those things.  Let's break it down:

• The right people: to know the right people you have to have access to all of the identity repositories in your network (HRIS, Active Directory, ERP, line of business apps, etc).  You need to know everything about these users and have a way to "join" the disparate user accounts.  You need to synchronize attributes and provision/deprovision.  You need to constantly inventory all of these systems for any change immediately.  An enterprise directory, or metadirectory, that joins these users and creates what we call a "person object" that links all user accounts gets you to the "right people."
• The right access to the right resources: you could call this identity and access governance or role based access control or even attribute based access control.  We call it all three.  This is the tricky part of all IAM, which is why we built our role engine into everything we do.  Role based provisioning, giving that "right person" the right user accounts.  Hybrid RBAC & ABAC, allowing you to get to an even finer level of granularity by not only looking at the user's role but also looking at attributes to define it further.  Role mapping to ensure that your IAM roles match your application roles (and you only have to manage them in one place).  Polyarchical role structures so that you can mix and match business and system roles for finer granularity.
• At the right time: On average, 20% of your users change jobs every year, that's called internal turnover.  You need to have all of your roles, provisioning jobs, synchronization jobs, and group memberships be dynamic.  This means that they are constantly inventorying every system for changes and kicking off a workflow to make changes to everything to ensure that the "right person" has "the right access to the right resource" right then and there.  It has to be dynamic, all of it has to be dynamic.  Think of it this way, automate automate automate!
• The right business outcomes: this is all about workflow.  Your IAM processes should map into your business, you shouldn't have to map your business process to your IAM solution.  A visual workflow designer that easily (this means without an army of consultants) creates business policy approvals, user approvals, and rights based approval makes all of these IAM changes map to what you need.  Think of it this way, when you are designing your business process, you draw it on a whiteboard.  Shouldn't your IAM process match that and not be lines of code.  Visual IAM workflow.

When you are looking for your IAM solution, this is what you want to look for.  EmpowerID has a pretty amazing solution to all of this and the track record to back it up.  Tell us what you want out of Identity and Access Management and we'll show you how to map it and get all of those bullet points right!

What makes EmpowerID different?  In the crowded Identity and Access Management (IAM, also referred to as IDM) market, our slogan, “A new breed of identity management“ and a little of our history are helpful in understanding the answer to this question.

By 2005, we had spent three years developing and deploying an easy to use and quick to deploy Self-Service Password Management and User Provisioning product.  We realized that clients were consistently asking for many of the same features that couldn’t be found in one offering:

1. The lower cost and ease of use of an application, but also the power and flexibility of a platform
2. The ability to make Identity Management processes conform to their business practices, instead of making changes to accommodate the limitations of an IAM application
3. A modular approach that allows them to buy just what they need now, with the ability to add support for additional directories, platforms, applications and federated single sign-on (SSO) later
4. Freedom from vendor bias, meaning that they don’t want to sacrifice strong support of Microsoft platforms to get strong support for an Oracle, SAP or IBM platform, or any number of other standard and custom applications
5. A high degree of integration among the moving parts of an Identity and Access Management (IAM) platform and a “single pane of glass” to see security across all connected applications, platforms and directories
6. Powerful Role-Based Access Control (RBAC) that allows them to quickly configure access, views and control by a wide range of hierarchies and locations, but which still can have rights added or subtracted manually
7. A standalone Metadirectory that allows them to store information and extended attributes without stuffing them into an internal system like Active Directory
8. Highly flexible, modern user interfaces with “rights-trimmed” user views and support for corporate theming

The first thing that struck us when we reviewed this list of client requests was that we had to develop a fresh, innovative vision if we were to achieve all of these objectives in one solution.  We concluded that we had to think in terms of a platform, by which we mean a common set of code, logic, services, tools, and interfaces that could span every module that we would want to develop in the foreseeable future.  This platform would also have to offer redundancy, high availability and scalability to meet both the demands of the largest enterprises and the rapidly growing number of organizations that need to securely manage Identity information for their partners and customers.

Cobbling together different applications through licensing agreements or acquisitions would not accomplish a key goal for us that has eluded all other major vendors in the IAM market: producing a full-featured platform that could meet all of a client’s major goals while costing significantly less to develop and to expand, as well as costing our customers less to acquire and to maintain.  Key to this would be to build the entire platform on a single codebase that would allow for the accelerated development of new modules and features.

We realized we had only one option to include all of the items on our clients’ wish list: to start from scratch.  By taking a “greenfield” approach we sought to avoid the architectural and design constraints that limit our competitors and to allow us to offer a breakthrough price point for enterprises that had been excluded from acquiring traditional IAM platforms by their high initial cost and their labor intensive implementation and support requirements. 

Our first task was to decide which key elements would be essential to include in this new platform approach to Identity and Access Management, and these are the core components of EmpowerID that when combined make it truly different:

• Workflow – not just a series of simple approvals that other vendors offer, but rather a comprehensive Business Process Automation (BPA) platform that provides the mechanism for executing every action taken by the IAM platform against other connected directories, applications and platforms.  We ship with over 375 workflows in our complete suite that can be installed and can start performing work in a day.  Our visual workflow designer can modify any workflow and create new ones and allows business managers to collaborate with developers by allowing them to see how IAM information flows and is controlled throughout their enterprise.  It collapses the time for producing client-specific customizations and it creates productivity gains through automation.

• Metadirectory – a robust directory that stands apart from all other connected directories so that it can function as a full authoritative source of the “truth” about any identity and its attributes as provided by direct input to it, or by inventorying or directly querying in real-time any connected source.  This Metadirectory can be used to create and manage the lifecycle of an identity independently of any other directory.  It can exist outside of a corporate firewall to safely manage the increasingly complex world of Federated and Cloud Identity.  The Metadirectory also functions as a directory, enabling organizations to allow external partners and customers to authenticate without creating user accounts in the corporate Active Directory.

• Role-Based Access Control (RBAC) – some applications claim to offer this, but a major platform must extend a robust vision of managing roles.  EmpowerID’s RBAC can determine rights from multiple hierarchies and locations.  It works in conjunction with Attribute Based Access Control (ABAC) and another unique contribution we have made to this technology, Rights Based Approval Routing (RBAR), to create remarkably powerful and efficient security with sophisticated approvals, Separation of Duties (SoD) and Attestation capabilities.
  

• Flexible and modern User Interfaces (UI) – this would seem to be an obvious component, yet it is frequently overlooked by many vendors, despite being the face of the application that all users encounter.  We were determined to lead the industry with highly configurable UI that not only allows the security to control each user’s view, but that also enables client branding to create a rich user experience.  This is an important component in driving user acceptance and adoption of self-service components.

So how have we done?  In the four years since the first release of the EmpowerID platform, we have achieved a global presence in some of the world’s largest organizations and in market segments that include: finance, banks, regulatory agencies, governments, energy producers, healthcare, retail, manufacturers, advertising agencies, manufacturers, primary and secondary education, and software developers, among others.  We have single installations with hundreds of thousands of users managing millions of objects and many projects that connect and provide Identity Management for Cloud applications.

The distinguishing characteristics of our wins include:

• We are highly competitive on the pricing of the EmpowerID suite while  offering lower implementation costs and shortened project timeframes due to our requiring less of the custom development and heavy scripting that characterizes our competitors
• We have replaced many IAM applications or we coexist and interoperate in environments with existing IAM investments because of our ability to incorporate existing code with our open workflow platform and our flexible connector and communications models
• Clients make extensive use of our workflow, using it to automate and to design and automate many non-IAM functions because of the extraordinary capabilities of the platform that allow it to drive efficiencies with secure Business Process Automation.  Some clients have gone as far as to build complete applications on their own using our workflow designer.
• We retain responsibility for a successful completed project – we don’t push our clients to buy EmpowerID independent of delivering a successfully completed project like much of our competition that relies on partners of varying quality to deliver a finished result

We continue to aggressively develop EmpowerID, with the release in March of the 2012 version of EmpowerID in conjunction with two new modules: SSO Manager, which integrates Federated Single Sign-On (SSO) into the platform and File Share Manager, which provides shared folder permissions inventory and management.

EmpowerID allows enterprises to securely manage their identities while generating cost-savings from automating and securely delegating tasks.  Our goal is to continue to make Identity and Access Management easier to implement and easier to maintain, permitting an increasingly broader range of enterprises to own the critical IAM technology they need to realize their automation, compliance and Cloud goals.

Discover the new breed in IAM software by exploring EmpowerID.