...
The reality for organizations today is that enterprise risks are scattered across many Cloud and on-premise systems and are often acquired by a risky combination of cross-system access. Given the growing number of enterprise level applications being made available to organizations, it is imperative organizations know the permissions models for each application they use. Otherwise, users may have more access than needed, resulting in unnecessary risks. To gain visibility and control over these risks, EmpowerID provides one of the largest IGA connector libraries available with the ability to connect and consume even the most idiosyncratic permissions models and inheritance used within your applications. In this way, the permissions in each system's permissions can be brought together combined into one comprehensive and business-friendly permissions model.
Compliant Risk Management
The goal of compliant Compliance risk management is aims to ensure that organizations deliver compliant access and that changes occurring in native system admin consoles do not create non-compliant access. To achieve this goal, current access assignments must be continually measured against a definition of non-compliant access. Therefore, to define compliant access, you must first define non-compliant access. Risks are a part of the business domain and must be defined and owned by business users as they relate to the organization’s specific industry and business processes. Defining an organization’s risk policies based on toxic combinations of technical entitlements such as application groups or roles is not a viable option. These technical objects have little meaning to business users and the activities they enable and the risks they pose are easily obscured and can change as underlying access shifts.
...
That is where EmpowerID’s Compliant Access Solution comes into the picture. EmpowerID understands that each organization has its own particular language for processes and policies and designed the solution with the flexibility to bring that process language into risk management as is. This model understands that to be truly effective, delivering compliant access requires more than just repeating “black box” speak to be truly effective. A system that simply repeats technical system language back to users does little to help businesses translate the technical rights in each IT system to the daily business activities necessary for accomplishing business goals.
...
The EmpowerID Compliant Access Solution starts with the premise that all businesses can be broken down into a series of business processes performed during the ongoing production and delivery of their goods or services. Each business process is itself, a series of tasks that can be performed by internal or external participants to complete that process. And each individual task in each process can be broken down into the functions that are executed in the process of completing that task. Simply put, EmpowerID defines functions as “business defined activities that a person can perform.” Using this approach, the technical term “ME21N” mentioned above could be translated simply as “Create Purchase Order.” The activities are the same, but the terminology for the latter is immediately clearer for business users.
...
Using functions as the building blocks of what users can do in technical systems, organizations then build their risk policies around those functions using their own business language for those functions and policies. Once functions are named, business process specialists and technical application specialists map those functions to their representative entitlements in their respective applications. Once the mapping is complete, the risk management engine can be enabled to run on a scheduled basis to return users with functions. Using “Create Purchase Order” as an example, the end result is that those responsible for risk management can quickly see who in their organization can create a purchase order and where they can to do it.
...
Figure 3: Risk Management User Interface
...
The EmpowerID SCIM microservice is designed to help you manage your Azure tenants and subscriptions to include licenses and roles. Beyond the licensing challenges associated with Azure subscriptions is the fluid nature of the Azure infrastructure and how quickly new services can be introduced and then decommissioned. This fluidity can make it difficult for security and audit teams to meet their regulatory obligations concerning asset management. The SCIM microservice helps you address both these issues by giving you full visibility and control over both Azure Roles and Azure licenses via Azure License Manager and Azure RBAC Manager. For more information setting up the EmpowerID SCIM microservice in Azure, see Deploy the EmpowerID SCIM Microservice /wiki/spaces/CloudAdmin/pages/907509785.
IT Shop Microservice
The IT Shop brings a familiar shopping cart experience to the license access request process. Users simply search for the resources they need and add items to their cart. Managers may shop on behalf of their direct reports as part of the onboarding process. When the user is done shopping, they simply submit their request. The workflow engine determines from your organizational rules, what approvals are needed, if any policies would be violated, and who must approve each request or violation. All participants are kept informed by email notifications and all requests, decisions and associated fulfillment actions are recorded and integrated into the audit process.
...
Reduce risks through increased visibility — One of Azure’s key strengths is the ease with which new services and IT resources can be self-provisioned on the fly. Also, just as quickly these services can be decommissioned. The elastic nature of the Azure infrastructure and these rapid changes make it difficult for security and audit teams to meet their regulatory obligations concerning asset management. Azure RBAC Manager empowers organizations to maintain an accurate understanding of their Azure security landscape, to optimize its management, and to ensure compliance with an organization’s risk policies by continuously monitoring for changes. Azure RBAC Manager continuously inventories the RBAC structure of your Azure tenants including the tenant Root, Management Groups and subgroups, Subscriptions, and Resource Groups. This structure is key to understanding the scope of your Azure Role assignments and their impact. Azure includes 3 very different types of roles including Azure AD “Directory Roles”, Azure RBAC “Resource Roles”, and Azure “Application Roles”. Azure RBAC Manager handles all three types and even reports the individual fine-grained rights granted by each role. Azure Resource Roles can be assigned at any level or scope in the Azure hierarchy, even on individual resources. Azure RBAC Manager inventories even these individual resources like virtual machines, Kubernetes clusters, and SQL databases including any of their direct role assignments.
Access Intelligence — The greatest challenge in identifying and managing enterprise risk is understanding the actual business access that the technical entitlements granted to users enable. EmpowerID uncovers the real-world impact of Azure access assignments with a concept known as Business Functions. Business Functions are the business user recognizable terms for the activities performed by users with the access they are granted. EmpowerID ships with a large library of function definitions for Microsoft Azure. These functions add transparency to the fine-grained access assignments granted by out of the box and custom Azure Roles. Process owners and application owners may also use the Function mapping tools in EmpowerID to define additional Functions based on your Azure permissions.
Least Privilege Delegated Role Management — With Azure RBAC Manager you gain secure controlled delegation of access management for Azure roles and resources without being required to grant overly broad roles or to grant access to the Azure Portal or Office 365 Admin interfaces. Entitlement managers can see and manage access assignments in one place for all their Azure roles and resources across any number of tenants and environments. Entitlement managers can even delegate access management to non-technical owners to manage access using a non-technical interface. The EmpowerID risk engine ensures delegated admins grant only “Compliant Access” which is position appropriate and does not violate an organization’s risk policies.
Just in Time Temporary Privileged Access — A just-in-time and just-enough administrative access infrastructure can dramatically increase an organization’s overall security by shrinking their its attack surface and risk profile. Users require privileged access when performing administrative duties, but permanent access can invite misuse. A just-in-time privileged access system grants temporary access to decrease risk. With Azure RBAC Manager, business users, and admins can request temporary elevation of their own privileges on demand. Azure Roles and entitlements can be shopped for using a shopping cart system to request access. The workflow engine determines from your organizational rules, what approvals are needed, if any policies would be violated, and who must approve each request or violation. All participants are kept informed by email notifications and all requests, decisions and associated fulfillment actions are recorded and integrated into the audit process.
Define and Manage Custom Granular Roles — Azure RBAC Manager supports managing and creating custom Azure Roles. Custom roles can be useful to define least privileged bundles of access whose scope is limited to specific resources or subscriptions. Azure RBAC Manager allows entitlement managers to request custom roles and be responsible for their assignment.
Role Ownership Management and Recertification — A security challenge that develops over time is understanding why roles and role assignments were initially created, by whom, and if they are still needed. Azure RBAC Manager provides automated processes to identify new roles and assignments, to assign ownership responsibility, to track their usage, and to allow periodic recertification. Recertification ensures that access which that is no longer required is eliminated, and least privilege principles are maintained.
Secure Deployment Model — Azure RBAC Manager leverages EmpowerID’s Azure AD SCIM Microservice Connector. This microservice is a fully compliant SCIM 2.0 Server to which EmpowerID communicates to inventory and manage your Azure tenant licenses and security. The microservice can be deployed to your tenant as a native Azure App Service. This deployment model enables secure fine-grained Graph API access managed by your security team. The microservice leverages an Azure Managed Identity which eliminates the need to share credentials.
...
The single log out flow from the above image is as follows:
SP1 sends logout request to EmpowerID.
EmpowerID sends logout request to Azure.
Azure sends logout response to EmpowerID.
EmpowerID sends logout request to SP2.
SP2 sends logout response to EmpowerID.
EmpowerID sends logout request to SP2.
SP3 send logout response to EmpowerID.
EmpowerID sends logout response to SP1.
EmpowerID Mobile App for MFA
The EmpowerID Mobile App provides multi-factor authentication (MFA) and chatbot help. The authentication feature provides both push and passcode authentication. You can download the app from the Google Play Store and the Apple App Store for Android and iOS, respectively. You can register multiple devices to your EmpowerID account and you can register multiple accounts to the same device.
...
The object-focused navbar in previous releases of EmpowerID has been simplified and reordered to present users with a less technical, more modular interface. Organizations can further enhance the user experience and completely customize the navbar without needing to write writing any code or maintain maintaining a complicated overrides structure. Simply enable one or more of the NavBarSection EmpowerID system settings, localize the text for that section, and define the appropriate Noun and Verb. And if you prefer the old object-focused navbar, you can bring it back by toggling a single system setting.
For more information, see Customizing the Navbar.
...
Figure 12: Customizable Navbar
...
Passwordless Login
In EmpowerID, Passwordless login is a type of multi-factor authentication (MFA) that you can apply to Password Manager Policies to allow users with the policy to skip the password and login using only their EmpowerID user names or email addresses. This simplifies the login process for users by not requiring them to remember their passwords , while making their accounts more secure through multi-factor authentication.
To login using Passwordless login, users click the Passwordless Login link on the login page. This initiates the Passwordless Login MFA workflow, which asks the users to submit either their user names or passwords. The workflow looks at the Password Manager Policy associated with those users—and based on the Passwordless Login MFA settings of that policy—asks each user to authenticate using one or more of the MFA types set for the policy until they reach the required number of MFA points to login.
...
UI — Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role is the UI-Computer-PAM-User-Full-Access Management Role. This role grants access to the user interfaces and workflows for requesting PSM access to computers. The Management Role Definitions for these UI- workflows grant access to call the API endpoints used by the user interfaces.
VIS — Management Roles prefixed with VIS grant users the ability to see specific objects (Object level visibility) in EmpowerID. An example of this type of role is the VIS-Computer-MyLocations Management Role. This role grants access to see computers that belong to the same location as the person with the role. Most security-sensitive objects are now not visible by default. Default visibility filter policies assign “No Access” requiring access to be granted (secure by default).
ACT — Management Roles prefixed wtih with ACT grant users the ability to manage specific objects (perform activities) in EmpowerID. An example of this type of role is the ACT-Computer-Shared-Credential-Assigner-MyLocations Management Role. This role grants users with the role the ability to assign and unassign shared credentials to computers in the person's locations.
...
The EmpowerID Orchestration Pack for ServiceNow provides ServiceNow process designers with workflow activities, web services, and example workflows to embed EmpowerID capabilities within their ServiceNow business processes. Example workflows included in the orchestration pack include those listed below. These example workflows can be used as is in production , but are intended to be leveraged by ServiceNow process designers in existing and future workflows.
...
Web Page Designer
Workflow Studio include includes a new Page Designer that allows you to design your own web pages using the same objects used in many existing EmpowerID pages:
...
Advanced Search Panels
Trees
Each offers choices that you can customize to create exactly the page that you need. For more information, see Page Designer Overview.
...
All workflow binaries have been migrated from database format to file format, as Workflow Studio now uses GIT for source control. This change increases performance for the EmpowerID SQL Server-based Identity Warehouse , as well as and gives organizations the ability to take advantage of the modern DevOps model and practices, which include continuous delivery, frequent deployments, and automation. Workflow Studio developers can make file changes and immediately share those changes with other team members, where they can be tested and integrated into the production environment more quickly and efficiently than was possible using SQL Server as source control.
...
The EmpowerID Cloud Gateway enables your EmpowerID Cloud SaaS tenant to inventory and manage your on-premise systems without requiring ports to be opened on your firewall. The Cloud Gateway is a lightweight client that can be installed on a Windows desktop or server machine in your on-premise network. The Cloud Gateway client then makes a secure and encrypted outbound HTTPS connection to an EmpowerID queue in Azure as a bridge for communication between the EmpowerID Cloud servers and your on-premise network. You can install multiple Cloud Gateways on-premise for fault tolerance and increased performance.
...
| Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Changes for Version 7.151.0.7799 and later
SAP Connector
Inventory behavior has changed to
...
overlapping
...
pagination instead of retrieving all table data
...
simultaneously for each SAP table. This change has led to the overall optimization of memory and greater stability in large environments
Trailing and leading white spaces in usernames are now ignored, as these sort of data-entry errors violate security best
...
practices (by making the erroneous username indistinguishable from its valid record in the EmpowerID UI).
| Info |
|---|
It is highly encouraged that these type of data-issues be cleaned-up to prevent indistinguishable entries and inaccurate reporting. |
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
The EmpowerID Management Console has been removed. All configuration settings can now be set in the Web application.
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|