Updated: Aug 31
Access management provides your company with four key functionalities: single sign-on, policy configuration, session management and multi-factor authentication. Once deployed, a solution lets you answer the questions: Who has accessed which app? When? And how was their identity verified?
Choosing an access management solution is not an easy decision. To address your organization’s cost, convenience, and security needs, we’ve outlined below five key factors to consider when shopping for a solution. Here they are:
Access Management Costs
Most IT ecosystems are based on Microsoft, so when looking to add single sign on, most IT departments consider AD FS as a potential solution. This comes as no surprise, given that AD FS is a free plugin for Microsoft Windows Servers.
However, while AD FS in itself can be downloaded for free, there are numerous ‘soft costs’ affecting administration and maintenance that need to be factored in. These include maintenance of on-premises servers, of which AD FS requires four: One AD FS server, one AD FS proxy, two additional servers for high availability, and one DirSync server for connecting Office 365, in the event that Office 365 is deployed in your organization. Soft costs also include IT upkeep tasks such as security patching, creating backup tapes and ensuring hardware-software compatibility of the underlying systems.
So while upfront or license costs may be zero, the time and effort involved in the day-to-day operation and maintenance of a single sign-on solution should be taken into account.
Also good to know that cost differences may vary by 200 to 400 percent between comparable access management solutions for the same functionality. A check list of the must-have’s and the nice-to-have’s can come in handy when comparing different vendors.
Context-based authentication helps provide a smooth login for your users. However, to ensure strong multi-factor authentication, you will also need 2FA authenticators. Keep in mind:
Regulatory mandates that your organization has to meet. For example, the EPCS Regulation requires FIPS 140-2 validated tokens.
Over-the-air provisioning. If you plan to provision tokens to a distributed workforce, OTP apps or mobile tokens may be the route to go, allowing your 2FA token to be provisioned and activated remotely.
Higher assurance scenarios. Hardware tokens offer a higher level of assurance (see NIST guidelines), meaning that you have a higher level of a certainty that a user is who they claim to be when combined with additional factors. Note that Microsoft’s solutions, for instance, do not offer any hardware tokens. (Support for 3rd party OATH tokens is available, requiring an on-prem server.)
Availability aka Uptime
Does the single sign-on solution you are considering offer any assurances regarding uptime? Since your users rely on this type of solution to access the very resources they need to do their job, this is an important aspect to consider when evaluating a potential solution.
Access management service providers, who deliver identity-as-a-service (IDaaS), state the amount of uptime they expect their solution to provide in a service level agreement, or SLA. For example an SLA of 99.99% availability translates into 13 minutes of unexpected downtime annually, whereas 99% refers to over 3 days of cumulative unexpected downtime.
Since IDaaS providers employ dedicated teams that ensure redundancy and failover via multiple datacenters, and given that their backend operations team is accountable for ensuring the solution is available around the clock, these cloud-based access management services may offer a higher uptime then your own in-house team.
In contrast, on-premises solutions may offer lower uptime due to potential operational issues, expensive and time-consuming updates, maintenance and on-site troubleshooting.
When considering this aspect, note that AD FS requires two additional servers for high availability as noted above.
Automation is key to reducing overheads (soft costs). Here are a few automation capabilities you should you look for in an access management solution.
Automated provisioning of users and tokens – Ideally, your access management solution will seamlessly integrate with your user store (Active Directory, MySQL, etc.) allowing for automated group-based policies. In this way, every time a user is added, updated or removed in your user store, lifecycle workflows are triggered to provision, update or revoke their permissions and tokens.
Automated alerts that enable management by exception
Self-service portals that reduce helpdesk workloads
Automated capabilities such as the ones above are limited with AD FS, for example.
“Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications.” (source: Techtarget). While this sounds very convenient and saves users a whole lot of time, what happens if that single credential set is compromised?
Buffet-style single sign-on checks the user once, and lets them roam free to any app afterwards. For cloud and web apps that contain sensitive data, this may not be an ideal fit (e.g. payroll, Accounts Payable, HR data, source code, CRM, etc.).
While offered by many solutions e.g. AD FS, Azure and others, classic, or buffet-style, SSO is no longer sufficient for many scenarios and requires some adjustments in order to adapt to the ever-evolving security and compliance needs of the enterprise.
This is where stepping up authentication post-SSO login helps elevate trust, without sacrificing the convenience of SSO that is applicable to most apps and scenarios. By applying scenario-based access policies, you can determine access controls for privileged user groups, sensitive apps, and specifically contextual conditions.
Read more of our Blogs at http://www.woodsllp.com
Licensed from the ThalesGroup