EzIAMTM Identity-as-a-Service was recently launched by 8kMiles in AWS. We get a lot of queries from customers about the technical & functional capabilities of EzIAM. I am planning to write a series of blog posts that would help understand this service better. The following FAQ would help us get introduced to the service.
1. What is EzIAMTM?
EzIAM is a cloud-based Identity Management solution that can be configured to accomplish 3 important Identity and Access Management functions:
- Identity Management
- Advanced Authentication
- Single Sign-On
2. How is EzIAM different from an On-premise Identity Management Solution?
With EzIAM one can completely outsource the management of their identities to a secure cloud. For a company, especially Small & Medium Businesses, this could be a great option as they can save up on the:
- The setup costs of IAM infrastructure
- Skill and knowledge required to drive the IDM systems
- Day to Day running & operations of their IDM systems
3. Is EzIAM secure?
All communications from, to and within EzIAM (be it http, ldap, database operations, reading configuration files, user data inputs into html forms of EzIAM, email notifications) happen via Secure Socket Layer/TLS with AES ciphers aided by 2048 bit key certificates.
4. What are the technology benefits offered by EzIAM?
EzIAM offers a lot of technology benefits for an enterprise:
- SSL/TLS Communications
- IAM Hosted in a secure AWS (Amazon Web Services) Virtual Private Cloud (VPC)
- A Multi-tenant environment where each customer’s data is logically and physically segregated from another customer’s data
- Advanced & Multi-factor Authentication features that can be leveraged to control access to high valued assets/resources
- Identity Federation infrastructure that would help companies to access other SaaS Services & expose their own SaaS services to other companies
- Synchronization with on-premise Active Directory & other on-premise endpoints
- Out-of-the box SSO connectors to common SSO endpoints
- Out-of-the box provisioning connectors to common provisioning endpoints
- Option to have custom connectors to custom endpoints (both SSO and provisioning)
- Simple and Complex IDM workflows
- Email Notifications
5. Is EzIAM a multi-tenant solution?
Yes, EzIAM is a multi-tenant solution. Each company’s identity data is logically and physically segregated from another company that subscribes to this solution. Designated Tenant Administrators are assigned for each tenant/company who can basically control the identity and access management objects of their own company only. No asset of one company can be accessed by a user or admin of another company.
6. How is EzIAM managed?
There are 3 sets of administrators to functionally manage EzIAM.
- MSP Administrators
- CSP Administrators
- Tenant Administrators
The 8kmiles team manages the EzIAM infrastructure with strict SLAs.
7. Is EzIAM managed 24×7?
Yes. EzIAM is run and operated by 8kMiles with strict SLAs on a 24×7 basis. 8kMiles team is responsible for fixing any operational or functional issue related to EzIAM. 8kMiles has deployed multiple layers of support and help desk, to troubleshoot any issues.
8. What is the role of administrators (of a company) who signs up for EzIAM?
The Tenant Administrator role in EzIAM is assigned to a person (of a company that signs up for EzIAM) who is currently responsible for maintaining the IAM infrastructure of that particular tenant/company on-premise.
9. Can EzIAM be used to “Request Access” by users to applications?
Yes. EzIAM has a “Request Access” feature by which users can request access to applications. The request will be assessed and granted permission by the administrators (who will be part of the Request Access Workflow)
10. Does EzIAM have email notifications as part of its workflows?
Yes. EzIAM has secure configurable email servers that make sure that email notifications are sent and received by identities within EzIAM in a secure manner.
11. Does EzIAM support federated access to other SaaS providers and third party applications?
Yes. EzIAM supports federated access to other SaaS providers and third party applications. A Federated partnership can be setup between EzIAM and the external party wherein EzIAM can act as either the IDP (Identity Provider) or the SP (Service Provider).
12. How is advanced authentication implemented in EzIAM?
Advanced or Strong authentication schemes can be used by tenant or CSP administrators to protect high valued resources within the IAM infrastructure of the tenant deployment. It is implemented in an easily configurable manner. The Advanced authentication scheme can easily be configured to be part of a multi-factor authentication also.
13. What are the primary advanced/strong authentication mechanisms supported by EzIAM?
The primary strong authentication mechanisms supported by EzIAM are:
- ArcotID PKI
- ArcotID OTP
14. What is ArcotID PKI?
ArcotID PKI is a patented Cryptographic key concealment technology from CA. It can be used to authenticate to a website or other online resource, through a web browser.
15. What are the features of ArcotID PKI?
The important features of the ArcotID PKI credential are as follows:
- An ArcotID PKI can be accessed only with the correct password
- ArcotID PKI authentication uses a challenge-response authentication protocol. During authentication, a client application on the end user’s device signs the challenge with the end user’s private key. The signed challenge is then sent to the Advanced Authentication Server for verification
- A plausible response is generated for every password that is entered, even if the password is incorrect
- The validity period for the ArcotID PKI credential is configurable
16. What is ArcotID OTP?
ArcotID OTP is a secure software authentication mechanism that allows the use of mobile phones, iPads, and other PDAs as convenient authentication devices. The ArcotID OTP credential is used for primary authentication, and it supports the Open Authentication (OATH) standard. Similar to the ArcotID PKI credential, ArcotID OTP also uses CA Arcot’s patented Cryptographic Camouflage technology to protect credentials from brute force attacks.
17. What are the Risk evaluation and Fraud detection features enabled in EzIAM?
EzIAM’s Advanced Authentication service provides real-time protection against fraud in online transactions. This is made possible by the following features:
- End-User Device Identification Data and Location Data
- Risk Score and advice
- Risk Evaluation Rules
- User Device Association
18. What are the secondary authentication mechanisms supported by EzIAM?
Secondary authentication refers to the additional authentication that is performed in the following cases:
- An end user has either forgotten or wants to reset the password or PIN
- An end user’s ArcotID PKI or ArcotID OTP credential has expired
- A roaming end user is trying to authenticate from a device that is different from the one used to enrol with the system, or one that is already marked trusted during a previous roaming attempt
- Risk evaluation is enabled, and it generates an advice to increase authentication for the transaction that the end user is trying to perform
Secondary authentication methods supported by EzIAM are:
- Question and Answer pairs
- Security Code (which is similar to a one time password)
19. What is a two-step authentication?
When a two-step authentication is enabled, the end user is authenticated consecutively using two different authentication methods.
20. What are the Advanced Authentication flows?
The Advanced Authentication service of CA CloudMinder provides various advanced authentication flows that cater to a tenant’s business requirements. Each flow is used to secure access to a tenant’s resource and define the authentication steps that take place when end users try to access the resource.
The Advanced Authentication service offers ArcotID PKI, ArcotID OTP, Security Code, and Risk Evaluation as primary credential types that can be used to secure access to a resource. An advanced authentication flow is based on either a single credential type or a combination of these credential types.
21. What are the Advanced Authentication flows supported by EzIAM?
The Advanced Authentication service offers the following advanced authentication flows for the supported credential types :
- ArcotID PKI Only
- ArcotID PKI with Risk
- ArcotID OTP Only
- ArcotID OTP with Risk
22. What are the ArcotID OTP flows supported by EzIAM?
- ArcotID OTP Only flow
- ArcotID OTP Roaming Download flow
- ArcotID OTP New Device Activation flow
- Forgot my PIN flow
23. What are the primary Identity Management features supported by EzIAM?
- User Management
- Password Management including Synchronizing Passwords on Endpoints
- Role Management (including Admin & Provisioning Roles)
- Access Requests
- Integrating Managed Endpoints
- On-premise Provisioning
- Provisioning with Active Directory
- Identity Policies
- Email Notifications
- Task Persistence
- System Tasks
- Custom Connectors
24. What are the primary SSO features supported by EzIAM?
- SSO Applications configured for your business portal
- Authentication Methods for SSO Applications
- Federated Partnerships to enable SSO
- SSO using a Third-party IDP
- Secure Token Service (STS)
- WS-Trust claims transformation
- Self-registration services for SSO
- User validation for sensitive applications
- Attribute Query Support
- Proxied Attribute Query Support
25. Is EzIAM highly available and load-balanced?
Yes, each component server of EzIAM is load-balanced and is made highly available in an AWS (Amazon Web Services) cloud environment.
26. What are the specific benefits offered by EzIAM to companies, especially SMBs, from a cost standpoint?
- Companies do not have to invest in an IAM infrastructure
- Companies do not have to hire or train staff to manage IAM infrastructure
- IAM consultants need not be hired to perform domain specific complex IAM tasks for IDM setup, federation, SSO or Advanced Authentication
- The EzIAM infra is available 24×7 with help desk and support. So companies can save on these
27. Can EzIAM support directory synchronization with on-premise Active Directories?
Yes it does. EzIAM can synchronize with an on-premise Active Directory.
28. Can EzIAM support SSO with on-premise applications?
Yes. EzIAM supports SSO to on-premise applications. EzIAM can also protect applications to be accessed by external users through an SSO process i.e. it can act as an SP too.
29. Can EzIAM support advanced authentication and/or multi-factor authentication as part of SSO process?
EzIAM supports advanced authentication and/or multi-factor authentication as part of the SSO process.
30. Can EzIAM UI be customized?
EzIAM UI can be customized to reflect the tenant environment’s look and feel.