Consulting
| |

Identity and Access Management

What is Identity and Access management?

It manages user identities and access permissions so that the right users and devices can access the right resources for the right reasons at the right time.  This process should be a  secure and consistent process, denying hackers entry into the network    and allowing personnel access to company resources like e-mail, databases and  various applications as needed.  In today’s world where employees work remotely more often, IAM is essential..

Identity and Access Management Concepts.

Before diving into Identity and Access Management, it is vital to understand some of the terms that we run into when exploring this field.  One of the challenges for small business is understanding the difference between Authentication and Authorization. Authentication is to confirm an identity.  a Person proving that he is who he is, by supplying an item to proof it, that is Authentication.  Authorization on the other hand is the level of trust the authorized person has, so he can access certain areas of the network.

User Provisioning is the term for creating user roles and accounts, and can be automated.¬† RBAC or role-based access control is an example of User Provisioning. This includes assigning user accounts to a group like ‚ÄúFront Desk‚ÄĚ and then specifying the privilege associated with that group.¬† The result is that all users in that group will be able to access everything the group is allowed to access.

Single sign on is an authentication method that allows a user to authenticate across multiple applications while only signing in once.  This method is very convenient as users do not have to remember many passwords for multiple applications.  SSO is not a very secure way of authentication.

Multifactor Authentication is an authentication method where the login process requires multiple authentication methods from independent categories to verify the user’s identity.  Multifactor Authentication is a lot more secure than single sign-on.

Advantages of Identity and Access Management

Identity Access Management helps implement access controls at a granular level through automation.  It eliminates human error, as well as time and effort spent on manually implementing access control throughout the business.

It provides an easier way to implement policies surrounding user privileges as well as user authentication and validation. IAM improves management of potential issues caused by privilege creep, improving overall business performance.

MFA promotes Increased security and the decrease of potential data breaches that might be caused by malicious insiders.  By using the principle of least privilege, it restricts users’ access only to areas and resources they specifically need for an assigned task.  This means that privilege escalation cannot happen without being noticed.

Using Adaptive Multifactor Authentication, users gain rapid access to resources they need to access.  The overall user experience is enhanced and with password-less authentication, users get rid of the hassle of keeping track of multiple passwords. It allows customers, partners, contractors, and suppliers to access the network through mobile apps, on-premises apps, and SaaS without compromising security.

Identity and access management systems demonstrate a company’s compliance with regulations proving that company data is safe and protected.

Modernizing existing AI Infrastructure

But what if you already have an existing IAM infrastructure?  That’s all very well but IAM should continue to evolve as technology improves.  IAM is not only about the implementation but encompasses the underlying hardware.  Failure to modernize hardware can lead to higher security risks.  Old and unsupported hardware causes added time and maintenance costs, decreased productivity, and poor user experience.

When setting up a new IAM system scalability should be a consideration. When modernizing the IAM system you should consider speed, scalability, and integration.  In some instances, moving IAM to the cloud could be a quick and cost-effective option.

About Multifactor Authentication

Multifactor authentication is a way to authenticate who you are by using more than just a username and password.  Sometimes called two-step verification, it adds a second factor to prove identity.  The most common factors are something you know, like a password, something you have, like your smartphone; and something you are, like a fingerprint.

During sign-on you add your username and password but then a special code gets sent to your phone.  This passcode is time sensitive and unique to every session.  This prevents a malicious actor from using your log-in credentials to access the network as it adds a layer of defense.

Using Multifactor Authentication does not mean you will need to go through this process every 15 min, or every time you access a different application.  For normal day-to-day activities you would only need to authenticate once when you log in.  However, for critical and sensitive areas you might need to use two-factor authentication more often.  Using only passwords is unreliable and users tend to pick unsecure passwords. Users also often re-use passwords across multiple platforms as they tend to forget them.

Implementing MFA in your business

Deploying Multifactor Authentication(MFA) is not always straightforward. In addition to technical deployment, is people elements.  Remember that MFA is a job for the whole organization and not just the IT team.  Training employees and making them part of the process will go a long way in transitioning to a smooth experience.

If planning on a slow roged accounts access., then progress to all Privileged user accounts.  The next phase should include the C-managers, then phased down to employees with higher access rights, and finally to all the rest of the employees.  Consider that contractors, partners, and guests will need to have access too.

For a successful move to MFA, you need to know what systems you have that need sign-in.  Also consider apps that do not support MFA like older e-mail systems.  Upgrading applications that support MFA should be a priority.  When it is impossible, use segmentation to restrict access to sensitive data and critical elements of the corporate network.

Testing that MFA works on all applications before roll-out is critical to prevent issues later, plan how to manage failed log-ins and account lockouts, and consider self-service password resets.

Implementing MFA with good planning ahead will change the environment into a safer one.  Once MFA operates smoothly, testing and monitoring will become part of the regular IT process.  MFA is possibly the single most effective step to improve security in your company.

IAM security statistics

 
 
According to Expert Insights, 61% of all breaches involve credentials, whether they be stolen via social engineering or hacked using brute force.

The (IDSA)Identity Defined Security Alliance’s study on Identity Security: A Work in Progress reports that 94% of organizations have experienced a data breach, and 79% suffered a breach in the last two years.

The most significant reason behind this was phishing (62%).  Among these companies that suffered a phishing attack, the most typical trajectory was email phishing (93%). 49% of companies suffered a spear phishing attack, and 27% had been victims of vishing or smishing incidents.  Other types of identity-related incidents included brute force attack (31%), social engineered password (30%), compromised privileged identity (28%), stolen credentials (28%).

Personal devices are twice as likely to get the malware than corporate devices. Over half of mid-sized businesses (250-5,000 employees) asking their employees to work remotely experienced a cyberattack.  56% of these companies experienced credential theft, and 48% experienced social engineering attacks, such as phishing.

According to IDSA, 99% of respondents who suffered an identity-related breach believe that these types of attack are preventable.  Further research shows that 44% of security professionals believe that an identity and access management (IAM) solution will address their current security gaps.

Remote working has increased access to critical business systems by 59% in the last year.  On average, organizations today have 51 business-critical applications; over half of these are accessed via mobile devices.  According to Expert Insights 50% of organizations don’t have a policy on the security requirements for their remote workers. 73% of workers haven’t received any cybersecurity awareness training from their employer since they began working from home.

On top of that, only half of companies with BYOD policies also have a policy in place to regulate the use of personal devices.  Only a third of companies with remote workers provide antivirus software for personal devices.  A third again do not require their remote workers to use any method of authentication.  Of those that do require authentication, only 35% require Multi Factor Authentication (MFA).

Identity Security Breach Methods

Employee actions often cause incidents relating to Identity security, with 57% of employees clicking on links in phishing e-mails.  Another significant issue is using non-authorized equipment and credential sharing between employees.  Weak passwords are still a big concern. Employees who have too many accounts cannot remember which password belongs to which account. They also have problems remembering complex passwords associated with accounts.  37% of employees use the same passwords at home for private use and at the office.

Final thoughts

There might not be a golden egg regarding implementing the perfect secure IAM system, but companies implementing MFA are moving in the right direction.  Training and awareness are one of the most underrated areas of security in companies.  Managing access should go hand in hand with education.

Similar Posts