IAM: Overcoming the Authentication Challenge
Identity and access management solutions make sure only the right users can get at sensitive data and applications.
Organizations around the world depend on properly implemented identity and access management solutions to secure their data and resources. Work staff, customers and business partners all need appropriate, secure access to information and technology resources on demand. At the same time, an organization must be careful to maintain security controls that prevent unauthorized users from gaining access, as well as block legitimate users from exceeding their authorization.
Identity and access management (IAM) solutions provide enterprises with a secure, centralized approach to managing user identities and access permissions. They work across a variety of different technology platforms, consolidating all access controls on a single platform that improves data security, reduces costs and relieves administrators of the burden of managing access control on many diverse systems.
IAM solutions must integrate not only with the many technologies that organizations use in their own data centers, but also work across the many cloud solutions employed by modern organizations. They must also supplement traditional authentication technologies, such as passwords, with advanced techniques that leverage biometrics, tokens and other factors to combat today’s complex threat environment.
Challenges to providing users secure access
Users demand quick and easy access to systems and information whether they’re located in the office, at home or on the road. Most organizations recognize the need for this access but realize they must balance user demands against difficult security requirements. Cybercriminals know that organizations must support remote users and attempt to exploit enterprise identity systems through the use of social engineering attacks that allow them to compromise the credentials of legitimate users and gain access to enterprise systems. In recent years, social engineering has grown into an increasingly common and effective attack vector.
The demand for secure access poses a serious challenge to IT professionals. The IT team must simultaneously meet the needs of a diverse landscape of users across numerous, disparate applications. Many scenarios arise on a daily basis that require modifications to access permissions. New users are hired and need their access provisioned quickly during their onboarding process. At the same time, current users leave an organization as part of planned retirements or sudden terminations, and they must have their access revoked. Other users change roles within an enterprise because of transfers and promotions and need their access rights updated to reflect their new positions, while removing the permissions they no longer require.
Meeting these demands across a variety of on-premises and cloud applications requires the use of agile and flexible identity and access management solutions. IAM products must be able to handle access rights for many different categories of individuals who are using a variety of devices to access different types of data and workloads. Access control systems must be able to integrate with a wide variety of existing and future information systems, allowing users access to the information they need, wherever it is stored.
Adding to the complexity of the modern identity and access management challenge, business data now exists far beyond the traditional network perimeter. While firewalls and intrusion prevention systems continue to play an important role in network security, organizations cannot depend on them to protect sensitive information that exists outside the traditional network perimeter. The risks of cloud computing and mobile devices are that these technologies spread data across a much broader area and increase the challenge of protecting access to an organization’s information.
The Problem with Passwords
For decades, passwords served as the primary technology for authentication. From email to online banking, passwords secured the applications that both consumers and businesses rely on every day. Unfortunately, today’s cyberattackers have several potent tools at their disposal that can effectively defeat password-based security mechanisms.
Passwords are particularly susceptible to social engineering attacks. Cybercriminals might call an organization’s help desk and attempt to trick a customer service agent into resetting the password on a legitimate user’s account. Social engineering attacks also take to the web via phishing messages that direct users to fake websites designed to look like legitimate corporate sites but instead harvest passwords for malicious use.
Complex passwords are difficult to guess, but they’re also difficult to remember, prompting users to reuse the same complex passwords across a variety of work-related and personal sites. This poses a significant risk to enterprise security because an attacker who compromises one website and steals a password file may be able to reuse those passwords on work-related sites.
These factors all point in the same direction: The password is rapidly declining as an effective security technology.
What is IAM, and why is it important?
Identity and access management is the information security discipline that allows users access to appropriate technology resources, at the right time. It incorporates three major concepts: identification, authentication and authorization. Together, these three processes combine to ensure that specified users have the access they need to do their jobs, while unauthorized users are kept away from sensitive resources and information.
When a user attempts to access a system or data, he or she first makes a claim of identity, typically by entering a username into the system. The system must then verify this claim of identity through an authentication process. Authentication may use basic knowledge-based techniques, such as passwords, or rely upon advanced technologies, such as biometric and token-based authentication. Once a user successfully completes the authentication process, the IAM system must then verify the user’s authorization to perform the requested activity. The fact that a user proves his or her identity is not sufficient to gain access — the system must also ensure that users perform actions only within their scope of authority.
Without a centralized approach to IAM, IT professionals must manage authentication and authorization across a large number of increasingly heterogeneous technology environments. These environments support many different business functions, some customer-facing and some meeting internal requirements. To work effectively in such an environment, the security professionals managing IAM solutions must understand not only business operations but also the ways that access to IT systems enables those operations.
Effective IAM solutions help enterprises facilitate secure, efficient access to technology resources across these diverse systems, while delivering a number of important benefits:
Improved data security: Consolidating authentication and authorization functionality on a single platform provides IT professionals with a consistent method for managing user access. When a user leaves an organization, IT administrators may revoke their access in the centralized IAM solution with the confidence that this revocation will immediately take effect across all of the technology platforms integrated with that IAM platform.
Reduced security costs: Using a single IAM platform to manage all user access allows administrators to perform their work more efficiently. A security team may have some additional upfront work integrating new systems into an IAM platform but may then dedicate time to the management of that platform, saving time and money.
More effective access to resources: When users receive access through a centralized platform, they benefit from the use of single sign-on (SSO) technology that limits the number of interactions they have with security systems and increases the likelihood that their legitimate attempts to access resources will succeed.
These three benefits combine to demonstrate the importance of centralized identity and access management to the modern enterprise.
User Acceptance of Biometrics
Biometric authentication is certainly the most secure approach to verifying a user’s identity, but it also comes with a host of privacy concerns that may limit user acceptance of the technology. For example, users may be hesitant to provide an employer with fingerprints or retinal scans for fear that they might be misused for other purposes.
Organizations adopting a new IAM solution may choose to adopt traditional, on-premises software-based solutions, such as the CA Identity Manager, or adopt one of the increasingly popular cloud-based solutions, such as Okta or Centrify. Whatever solution they choose, organizations should select a platform that can integrate with both on-premises and cloud-based service providers. Those that don’t currently make heavy use of cloud solutions should still consider this an important requirement so that the selection of an IAM product doesn’t limit future options for managing devices, users and applications in the cloud.
The cloud-based approaches to identity management offered by companies such as Centrify and Okta seek to reduce the burden of IAM on enterprises by offering identity management as a service. These vendors provide pre-built integrations with many popular cloud applications, making setup fast and simple. They also offer connectors to traditional enterprise software and operating systems, allowing security teams to use a single cloud-based platform to manage access to both cloud and on-premises computing services.
SSO technology provides important benefits to both users and administrators. Centralizing authentication and authorization on a single platform reduces the number of times that users must authenticate and provides them with a single set of credentials to access diverse systems across the enterprise. That combination of factors greatly improves user satisfaction and reduces the burden that security systems place on an organization. At the same time, SSO improves security by allowing administrators to efficiently manage access across diverse technology platforms from a single console.
Alternative authentication options
Modern IAM systems also support the use of two-factor authentication technology. Users may prove their identity to an IT system using three different authentication factors:
Something you know: Knowledge-based authentication schemes depend on the user and system having a shared secret piece of information, such as a password. This approach is the easiest to implement, but it also provides the least security because passwords may be lost or stolen.
Something you have: Token-based approaches require that the user have a specific device in his or her possession. This device might generate a passcode, contain a digital certificate or run an application that provides secure authentication technology. Anyone who possesses the device linked to a user account may then use it as part of the authentication process. Stolen devices are a problem for this approach.
Something you are: Biometric security technologies read a physical characteristic of the user to complete the authentication process. This might include a fingerprint, retinal scan, voice analysis, facial recognition or some other physical attribute of the user. This technology is quite secure but often requires the purchase of specialized hardware.
Each approach to authentication, used in isolation, has security weaknesses. For this reason, enterprises seeking high levels of security use an approach known as two-factor authentication (2FA). 2FA approaches require users to authenticate using two different techniques, coming from two different authentication factors. For example, an organization might require that a user first provide a password (something you know) and then verify the login attempt on a registered smartphone running an authentication app (something you have). For an attacker to defeat this security approach, he or she would have to both obtain the user’s password and steal his or her smartphone.
CDW: A Security Partner that Gets IT
CDW is uniquely positioned to help enterprises leverage the Trend Micro-Microsoft partnership. As a long-standing partner with both companies, CDW works closely with the Trend Micro and Microsoft security teams to provide enhanced security services.
In addition to assisting with the design and implementation of security solutions, CDW staff are available to perform a wide range of security assessments.