Last updated: 16 March 2017
Everybody knows that the IT perimeter has been permanently warped by cloud-based resources, the consumerization of IT and the ever-agile work day. Information technology and information security decision makers are grappling with the tight-rope act of balancing the security of their organization’s data with their stakeholder’s usability expectations. Happily, the pervading need to bridge the identity-mobility-access gap has given rise to innovative identity and access management (IAM) solutions, of which this blog series provides an overview.
As promised, below are additional technologies that have emerged to secure, and restore structure to, a fuzzy IT perimeter.
Access Management and Single-Sign On
Many employees today regularly maintain 20-25 username-and-password sets, also called ‘identities,’ just to be able to stay productive and access the numerous web and cloud applications they need to get their jobs done. To minimize the number of identities we as employees need to maintain, access management solutions and single-sign on (SSO) solutions provide identity federation technology, so that IT departments can simply maintain one identity per user—for all corporate resources—instead of 5 or 10 or 20 identities. This eliminates what’s termed in the industry “password fatigue” as users can log in with the same username-and-password set to all their VPN, VDI, cloud and web applications. And for IT departments, the use of a single identity per employee considerably lowers overheads, eliminating 20% of all helpdesk tickets as this is the portion of tickets that require a password reset due to lost or forgotten passwords.
When SSO (or a single-identity scheme) is deployed, additional authenticator factors are used to secure that single identity, so that it cannot be easily compromised and lost to hacking, phishing and malware. Such additional authentication factors may include biometrics, PKI credentials, one-time passcodes and contextual attributes, such as the source network or device-browser pair being used to log in, the time of day, geolocation and others.
SSO, whether in a standalone solution or a broader access management solution, can be achieved through a broad range of identity federation protocols. These include open-source protocols such as SAML 2.0 and Open ID Connect, proprietary protocols such as Microsoft’s WS-Federation, and other technologies such as password vaulting and reverse proxies.
In the world of SSO and access management, the objective is to make the authentication journey as transparent and painless as possible for employees. To that end, step-up authentication is being increasingly embraced by organizations. Step-up authentication requires users to enter an additional authentication factor only in high-risk situations, such as when logging in from outside the corporate network or from an unrecognized device-browser pair. Step-up enables users to get immediate access to their applications by default, holding up users to perform stronger authentication only when called for by circumstances.
To effectively manage risk in enterprise settings, another concept called “continuous authentication” has been introduced in recent years. With continuous authentication, a step-up factor, such as a password or one-time passcode, is only required if the actual access policy of an application dictates it. An attendance application, in which employees record their work, illness and vacation days, may not require an additional authentication factor when accessed from outside the office. However, a sensitive cloud-based application could be configured to require strong authentication each and every time it is accessed outside the enterprise network. In this way, authentication is applied granularly, per an application’s access policy, rather than as a blanket, uniform rule for all enterprise resources.
Open ID Connect
In an effort to bridge the identity gap between browser-based SSO solutions and mobile devices, the Open ID Connect protocol aims to provide a single-sign on framework that will enable the easy implementation of SSO across browser-based applications, native mobile apps and desktop clients. Today, to enable SSO on mobile apps, a container is installed on mobile devices, with that container including all the protected mobile apps one needs for work. In the future, as more solutions adopt the rather new Open ID Connect standard, by authenticating to a single identity provider, we may be able to enjoy SSO for all our applications – be they desktop clients, browser-based applications or native mobile apps.
Bring Your Own Identity (BYOI)
What if on your first day at work, instead of going through the IT department, you could just log in to the corporate network and all your applications with your own social media account or consumer login credential? That day is not far. According to a recent Gemalto survey, 63% of IT decision makers feel security methods designed for consumers provide sufficient protection for enterprises, with over half believing it will be just three years before these methods merge completely.
In the identity management space, vendors and organizations are looking to enable employees and partners to user their own identity to access corporate resources. This identity could theoretically be any identity that provides a sufficient level of identity assurance – for example, government-issued identity cards, healthcare smart cards, as well as online identities, such as social identities, professional network identities and commercially-available identities such as FIDO. The enterprise and consumer worlds are merging closer together, with enterprise security teams under increasing pressure to implement the same type of authentication methods typically seen in consumer services, such as fingerprint scanning and iris recognition.
This installment concludes the IAM trends blog series.
Keep IAM concepts at your fingertips, download the Gemalto Access Management Handbook.
Questions / Shares? Get in touch with me @Mor_at_Gemalto