The digital technology wave has simplified and streamlined the way that we do business, but it has also put corporations at risk. Data is currency and hacking is profitable. The target of many security breaches is not just financial data, it includes customer data, employee data, engineering designs; essentially any digital record can be stolen and sold. Security administrators in many office environments are faced with the challenge of protecting and securing their corporations sensitive information, while balancing usability and access for users. Our market research is showing that more organizations are turning to solutions for identity and access management (IAM) to address these challenges as the user becomes the new IT perimeter.
The definition by Gartner of IAM is that it is “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.” But there are many things to consider when you are looking at what the best solution is to address all of the needs of a corporation. When thinking about the right IAM solution for your business you need to understand all of the moving pieces.
Whenever faced with a project of this scope and scale it is always best to go back to one of the first lessons we all learn in grade school – the 5 W’s (and an H). By using this methodology let’s take a look at some of the key points to consider to ensure that your organization is implementing a solution that will address all of your needs.
I am going to break this out into a couple of posts. These posts are informed by discussions with various organizations with decision makers and the questions that they are asking as they consider the different IAM solutions that are in the market. Let’s start by considering WHY your organization needs an access management solution.
Some of the questions that are raised around WHY an organization needs access management are: What regulatory compliances on data do you have? Have you been breached or are you at risk of a breach? Are you looking to protect a hybrid environment? Has the C-level mandated stricter controls? Are you expanding access to entities outside of your corporation? Do you want to implement a single sign on solution (SSO)?
Your organization may have industry driven regulatory compliances that you need to adhere to, it may be NIST, GDPR, PCI-DSS, HIPPA, FCA, HIPPA, or another. Many of these regulations require that organizations audit and report on access to sensitive applications and information. A strong IAM solution will have appropriate tracking and reporting giving complete visibility to your entire infrastructure through a single pane of glass. Many of these guidelines have strict timelines which we will examine further when we look at the questions of WHEN.
Another strong motivator behind adoption of IAM solutions is the risk of a security breach. This is something that is top of mind and companies globally are making moves to increase security to protect themselves from costly data loss. The cost of a breach exceeds the initial investment of deploying an IAM solution.
Our breach level index report for 2017 revealed that 1.9 million records were exposed as a result of users. Users are regarded as the weakest link in the security chain of an organization. As you consider IAM solutions your organization should look for one that focuses on authorization and authentication of users. We’ll explore this a little further when we consider the questions around WHO and HOW.
Our recent global cloud data security study executed with the Ponemon Institute it was found that on average organizations are using 27 cloud applications. Expanding to cloud, while convenient, poses security challenges as those resources are no longer internally controlled. Knowing WHAT you need to protect in your environment is critical. The solution you select should provide you different integration options allowing you to extend protection to a hybrid deployment. Since many of these cloud application support SAML authentication, the IAM platform you deploy should have SAML as an integration point to ensure easy deployment.
The desire to implement a SSO solution comes from the desire to improve the user experience. As organizations expand and adopt more applications, it become arduous for users to recall which user name and password combo to use for each resource. SSO in its most basic implementation means that the user has one set of credentials and that gives them access to everything they need. However this is risky, as if that one credential is compromised then everything is exposed. The IAM solution that you implement should provide you with a simplified user log in experience like an SSO without compromising security on sensitive resources. You should have the ability to create policies to enforce strong authentication based on WHEN, WHO, and WHERE the request is coming from.
Whatever your organizations reasons why, you need to find an access management solution that can help you quickly and easily deploy a solution. The solution should assist you with consolidating the management of access policies for applications across your environment. A robust system will enhance business productivity while reducing the complexity of you security solution and protecting users in the organization. We’ll explore this more in Part #2 where we look at WHO and WHAT you need to protect.
When looking at IAM solutions and implementations it is important to consider WHO needs to validated and WHAT needs to have access controls around it. The most comprehensive IAM solutions that are offered help organizations manage all of their applications and enforced strong authentication where needed under appropriate access policies.
When considering the question of WHO, you need to think of your users – from the CEO to the IT administrator and down to the receptionist, we are all users of corporate resources, and we are the biggest security hole in a network.
Users are also the most demanding and difficult component of an infrastructure to manage. We want quick and easy access to our systems and information no matter where we are. This is both a blessing and a curse. The security team of an organization must balance convenience with security and this can be a daunting task. So consider who the users are in your organization, are they all internal users? Do you use out-sourced contractors? Do you have remote offices? Do you have workers that travel? Do you need to block access from certain types of users? Have you already implemented a single sign on (SSO) solution and is it secure?
Understanding who your users are will help you consider what type of access controls that you need to have in place. While users desire an SSO experience – where they enter their credentials once and then have access to everything – you should look for a solution that enables you to set access policies against specific groups of users. Standard SSO solutions are still a risk if the users’ credentials become compromised and effectively this is an easy entry point for hackers into the corporate environment.
The solution that you choose to implement should empower you to increase or relax the authorization/authentication needed for access. The type of authentication needed when a user is inside a corporate environment may be different than the authentication needed when outside of the network, but we’ll talk more about types of authentication when we get to the HOW section of this series.
The solution you deploy should have policies that are configurable for exceptions, risk evaluation, exclusion, and restriction so that you can address the various business use cases that you need to address. Look for a solution that has the flexibility to be adjusted quickly and easily. By implementing this type of solution you will be able to limit the administrative overhead in maintaining a complex environment.
Once you have thought about WHO is accessing resources in your environment you need to think about WHAT they are accessing.
Many organizations have a hybrid mix of applications and resources that are critical to business operations. Managing and maintaining security policies and user credentials for each can be daunting. It’s important to consider the makeup of you infrastructure. What do you need to protect? What are you protecting today? Do you have cloud applications? Are you still using a VPN? Does the organization leverage VDI solutions? Do you have legacy custom applications? Do you have a web portal for users?
In ‘the good ole’ days’ the concern was focused on locking down the corporate infrastructure and putting everything in a secure physical server farm allowing access only within the corporate network. If you were working from home you would need to remote into the network over a secure connection that would generally require multi-factor authentication.
Now, with hybrid environments there is a mix of cloud applications and on premise applications that all need to be secured. The IAM solution that you deploy should be versatile enough to enable you to integrate all your applications and extend access controls and authentication to applications that can’t natively support them. Many of these cloud application support SAML authentication, the IAM platform you deploy should have SAML as an integration point to ensure easy deployment.
What you may find is that layering a strong IAM solution with a Next Generation Firewall or Application Control Appliance will offer you the best protection. The solution that you select should be able to complement your existing environment without requiring you to rip and replace.
Ideally the IAM solution selected should enable you to pull all of your applications into one management platform and allow you to apply policies based on your business needs. A solution that is flexible should permit you to extend access policies against specific applications or the entire environment. The solution should provide you with consolidated reports for compliance audits showing WHO access WHAT in your environment. Having everything centrally managed means that there is less overhead in implementing the solution and provides the ability to make adjustments quickly and easily across your entire infrastructure.
It is quite rare in today’s business landscape for corporate environments to be isolated or contained to one physical location, or to do business centrally. If you have the luxury of managing a centralize organization there are still external factors that you need to be considering as you think about your IAM implementation, sometimes the smallest environments have the most complexity.
The solution that you implement should not only consider WHO and WHAT needs to be protected, but have the ability to create access controls around WHERE the access attempts are coming from.
And regardless if you are a big multi-national corporation or a small local business, the chances are the budgets are constrained and the IT teams have multiple projects in the works. Teams are tasked to do more with less, even though studies show that many organizations are allocating higher budgets for access management solutions.
In the Identity and Access Management Index 2018 study that we completed found that spending on access management has increased 45%. Teams are still faced with stringent project timelines which makes finding an IAM solution that is easy to manage and deploy is crucial as you consider WHEN you need to have a solution in place and your budget allocated.
When thinking about the question of where you need to consider a couple of things. Where are your applications? Where are your users? Do you have multiple offices? Do you leverage remote contract workers? Do you have mobile users? Do you do business in certain countries? Are you going to allow mobile access to resources? How are you monitoring and protecting against traffic coming into your environment from countries where you know you don’t have any workers?
Today’s workforce is increasingly more diverse and mobile than ever before, and users need access to corporate resources regardless of where they are. Workers are rarely in a corporate office and they don’t have time always to open their laptop, connect to a vpn, log in to the corporate file share in order to pull down and send documents that are needed. With that in mind the IAM solution that you implement should offer accessibility without compromising security.
Your remote and mobile workers should have access to all of their applications through an accessible user portal, where you can add strong authentication against sensitive resources. Offering flexible authentication methods becomes an important part of this solution which we will explore further when we consider HOW you are going to enforce and implement your IAM solution.
The Identity and Access Management Index 2018 report revealed that only 43% of respondents were securing their external users with strong authentication and nearly nine in ten respondents say their organization restricts users from accessing corporate resources from mobile devices on some level, however, slightly worryingly, only 35% report their organization has complete restrictions in place.
The solution that you select should give you the ability to set different policies if your users are coming from the corporate office, from an outside source, or mobile device. Stronger controls should be in place for requests coming from outside, so that you can validate the identity and the source of the request.
If your external third parties are from certain geographic regions you should be able to restrict access requests to users within that geo location. Similarly you should have the flexibility to be able to restrict or deny traffic trying to access your applications from undesired geographic locations.
You need a solution that grants you visibility into where requests are coming from and has policies which can evaluate risk from certain access sources. The ability to have different access policies and authentication requirements from trusted versus non trusted entities and locations provides that desired balance of usability and security. Further to that having the ability to deny traffic from mobile devices or undesired countries serves to further strengthen any network controls that you have in place. The solution that you select should be as versatile as your business.
Project timelines are generally the largest obstacle when looking at implementation of any new security policy or guideline. So consider if there are specific deadlines which you need to meet for compliance regulations? What are your internal targets for an implemented solution? What other projects are on the go that need to be balanced? Do you have upcoming security audits? Does your budget have a timeline?
As organizations become more open to the adoption of cloud applications it makes sense to consider a cloud based IAM solution or selecting a vendor who offers IDAAS. Cloud based solutions mean reduced infrastructure investments and generally they can be deployed rapidly across an organization regardless of their size. A solution that offers automation and provides the ability to deploy blanket access policies is ideal and will significantly reduce the number of IT resources needed to implement a strong security solution. By understanding what your timelines are for budget spend and implementation you can narrow the scope of the solutions that you consider.
Your infrastructure consists of a lot of moving parts and applications, you will want to select a solution that has template based integrations out of the box to ensure smooth and rapid deployment. The IAM solution that you choose should also enable you to integration using SAML, RADIUS and API methods so that you can protect all of the technologies in your environment.
In this series about considering access management, we have explored ideas around why organizations are adopting identity and access management solutions. We’ve thought about what applications need to be protected and what users need to have access. There has been dialogue around taking into consideration where access attempts are originating from, and thought has been given to when solutions need to be in place.
There are a number of solution sets in the market that enable you to implement a single sign on solution (SSO) and use federated identities. Some of these are IDAAS solutions, some of these are ‘free’, others require on premise investment in time and resources. You need to consider what each of these solutions offer as a benefit to your organization, and a key element of this is looking at HOW these solutions are implemented, and HOW they add protection to your organization.
It was once considered the utopia of the work environment to have an SSO solution, they are considered easy to manage, easy to use, they are a win-win for everyone. However, you must consider that many SSO solutions only natively support static password, and will require an additional investment to implement strong multi-factor authentication (which is required by many compliance regulations). And in fact passwords have been proven to be less secure regardless of their complexity or the strong password policies that are put in place.
The Verizon Breach Investigations report revealed that 81% of breaches in 2017 were caused by stolen or weak passwords. Some solutions on the market that offer a multi-factor authentication option can be limited or relies on other parties to provide the authentication method.
The solution that you select should support universal authentication methods and have a proven track record for offering strong authentication. It should also provide you with the flexibility to choose what authentication method is needed given WHO, WHAT and WHERE the access attempts involve. So let’s think about HOW you are going to protect your access management solution.
Considering how users authenticate to applications and resources is possibly the most important thing that needs to be considered. Are you still relying on passwords? Are you implementing strong password policies? Do you already use strong authentication tokens, either hardware or software? What type of authentication do you want to enforce? If you are using software tokens do they support out of band approval?
How users gain access to systems is critical, because if it isn’t easy for them to do, then they won’t do it. The will resist and complain when you introduce the use of anything other than the use of a password, which is ironic when you think about it. The highest volume of helpdesk service tickets are typically password related.
As we have discussed in previous posts, no environment is homogeneous and chances are you are faced with needing to have different types of authentication options for your user base. Presenting a new obstacle, how do you effectively manage and maintain the token lifecycle? The solution that you adopt should provide you with the ability to automate the token lifecycle, and should support your established use of directory passwords or certificates. Your IAM solution should act as a business orchestration layer simplifying your security controls and reducing the burden on your IT teams. A solution that provides automation and self-service options for token management will be more easily adopted.
The most popular authentication method that we have seen adopted for multifactor authentication in recent years is the use of a software token. Generally this is an application that gets installed on a device and the user interacts with it to generate one-time passcodes (OTP) for use in an authentication request.
Mobile applications provide the ability for this type of token to support PUSH or out of band (OOB) approvals. What this means that the user doesn’t have to type anything into the password field anymore, all they do is push approve on their application. The beautiful thing about this is that it provides a frictionless experience for the user means that user adoption will be high, and there will still be strong security in place. This is due to the fact that the token users encrypted cryptographic libraries which securely communication to the IAM platform authorizing the user and validating the identity.
This type of authentication method offers security as when the request pops up in the application it indicates what application the request is coming from, and further provides an audit trail in the management platform. This makes it easier for users to identify if their credentials are being hacked, and for IT admins to track users’ authentication and access activities enabling them to monitor for suspicious use.
You can further drive user adoption of the solution by having an established, easy to access user portal which puts all of their business resources in one place secured by a strongly authenticated log in. Being able to assign applications to groups of users ensures that users will only access the resources that they are permitted to access. This approach improves the user experience and will remove the need for multiple browser bookmarks or shortcuts, consolidating the applications they need in one place improving overall productivity.
A user portal can initiate a single sign-on experience for your users, but optimally you should be able to construct your security policies to require stronger authentication when needed for scenarios, groups of users, or sensitive applications within the portal without negatively impacting the overall user experience. Placing controls around what type of authentication or what combined authentication is needed depending on where the user is access the portal from is also key to consider.
An IAM platform that can support varied authentication methods to provide flexibility gives you the ability to validate your users with secure authentication that can be layered while still providing the users with simplified access to your environment. Your organization isn’t static and your needs are going to change with time, so the solution you select should have flexibility and empower you adjust policies and requirements as needed.
Adding new applications, changing authentication methods, adding users, managing the token lifecycle should not increase the burden on IT team so you need a solution that is easy to manage, maintain, and implement.
If you approach the implementation of an IAM solution with a thorough understanding of your businesses needs and make-up, it will increase the overall security of your environment and be adopted by your user base with minimal friction.
Licensed from Thalesgroup.com under Creative Commons License.