Last updated: 11 July 2018
In this series about considering access management, we have explored ideas around why organizations are adopting identity and access management solutions. We’ve thought about what applications need to be protected and what users need to have access. There has been dialogue around taking into consideration where access attempts are originating from, and thought has been given to when solutions need to be in place.
There are a number of solution sets in the market that enable you to implement a single sign on solution (SSO) and use federated identities. Some of these are IDAAS solutions, some of these are ‘free’, others require on premise investment in time and resources. You need to consider what each of these solutions offer as a benefit to your organization, and a key element of this is looking at HOW these solutions are implemented, and HOW they add protection to your organization.
It was once considered the utopia of the work environment to have an SSO solution, they are considered easy to manage, easy to use, they are a win-win for everyone. However, you must consider that many SSO solutions only natively support static password, and will require an additional investment to implement strong multi-factor authentication (which is required by many compliance regulations). And in fact passwords have been proven to be less secure regardless of their complexity or the strong password policies that are put in place.
The Verizon Breach Investigations report revealed that 81% of breaches in 2017 were caused by stolen or weak passwords. Some solutions on the market that offer a multi-factor authentication option can be limited or relies on other parties to provide the authentication method.
The solution that you select should support universal authentication methods and have a proven track record for offering strong authentication. It should also provide you with the flexibility to choose what authentication method is needed given WHO, WHAT and WHERE the access attempts involve. So let’s think about HOW you are going to protect your access management solution.
Considering how users authenticate to applications and resources is possibly the most important thing that needs to be considered. Are you still relying on passwords? Are you implementing strong password policies? Do you already use strong authentication tokens, either hardware or software? What type of authentication do you want to enforce? If you are using software tokens do they support out of band approval?
How users gain access to systems is critical, because if it isn’t easy for them to do, then they won’t do it. The will resist and complain when you introduce the use of anything other than the use of a password, which is ironic when you think about it. The highest volume of helpdesk service tickets are typically password related.
As we have discussed in previous posts, no environment is homogeneous and chances are you are faced with needing to have different types of authentication options for your user base. Presenting a new obstacle, how do you effectively manage and maintain the token lifecycle? The solution that you adopt should provide you with the ability to automate the token lifecycle, and should support your established use of directory passwords or certificates. Your IAM solution should act as a business orchestration layer simplifying your security controls and reducing the burden on your IT teams. A solution that provides automation and self-service options for token management will be more easily adopted.
The most popular authentication method that we have seen adopted for multifactor authentication in recent years is the use of a software token. Generally this is an application that gets installed on a device and the user interacts with it to generate one-time passcodes (OTP) for use in an authentication request.
Mobile applications provide the ability for this type of token to support PUSH or out of band (OOB) approvals. What this means that the user doesn’t have to type anything into the password field anymore, all they do is push approve on their application. The beautiful thing about this is that it provides a frictionless experience for the user means that user adoption will be high, and there will still be strong security in place. This is due to the fact that the token users encrypted cryptographic libraries which securely communication to the IAM platform authorizing the user and validating the identity.
This type of authentication method offers security as when the request pops up in the application it indicates what application the request is coming from, and further provides an audit trail in the management platform. This makes it easier for users to identify if their credentials are being hacked, and for IT admins to track users’ authentication and access activities enabling them to monitor for suspicious use.
You can further drive user adoption of the solution by having an established, easy to access user portal which puts all of their business resources in one place secured by a strongly authenticated log in. Being able to assign applications to groups of users ensures that users will only access the resources that they are permitted to access. This approach improves the user experience and will remove the need for multiple browser bookmarks or shortcuts, consolidating the applications they need in one place improving overall productivity.
A user portal can initiate a single sign-on experience for your users, but optimally you should be able to construct your security policies to require stronger authentication when needed for scenarios, groups of users, or sensitive applications within the portal without negatively impacting the overall user experience. Placing controls around what type of authentication or what combined authentication is needed depending on where the user is access the portal from is also key to consider.
An IAM platform that can support varied authentication methods to provide flexibility gives you the ability to validate your users with secure authentication that can be layered while still providing the users with simplified access to your environment. Your organization isn’t static and your needs are going to change with time, so the solution you select should have flexibility and empower you adjust policies and requirements as needed.
Adding new applications, changing authentication methods, adding users, managing the token lifecycle should not increase the burden on IT team so you need a solution that is easy to manage, maintain, and implement.
If you approach the implementation of an IAM solution with a thorough understanding of your businesses needs and make-up, it will increase the overall security of your environment and be adopted by your user base with minimal friction.
Learn how Gemalto’s access management solutions can provide you with a versatile solution that supports universal authentication options and how our SafeNet Trusted Access solution will address your businesses needs today and in the future.