Talk:Identity and access management
Identity and Access Management: Core Practices to Secure Digital Identities
CONTENTS
∙ Introduction ∙ About IAM ∙ Key Components of IAM ∙ Core Practices ∙ Conclusion
Identities have quietly become the most critical digital assets in the modern era. And whether management knows it or not, many of the most crucial conversations they have with IT are really conversations about identities.
A fast-moving, efficient, and secure business orbits around successfully managing your team’s identities — and it always has. But today, there are more high-quality corporate resources to connect to than ever before. This diversification of resources contributes to a fundamental shift in the Identity and Access Management market (IAM). If you’re not keeping up, then you’re putting your company at risk of experiencing breaches, losing productivity, and falling behind the competition.
This document doesn’t just show how the Identity and Access Management landscape is shifting. It also shows you how to shift along with it. It’s a brave new world of IAM — and you can use it to your advantage to move your business forward even faster and more efficiently.
ABOUT IAM
Let’s start by taking a look at everything IT needs to provision access to in the modern era:
• Internal applications: Apps are developed in-house and stored on-premises (or with cloud infrastructure providers).
• Third-party apps (SaaS): These are web apps such as Salesforce, Google Workspace (formerly G Suite), Microsoft 365, GitHub, and Slack.
• Cloud infrastructure: This includes cloud servers from providers like AWS, Azure, and GCP.
• Wi-Fi: The all-important internet.
• Documents and/or files: This includes text files, spreadsheets, PDFs, and reports.
• Devices: This includes devices such as Windows, Mac, and Linux.
For years, IT has tried to use legacy identity management systems to control this jumble of new IT resources, even though that means a proliferation of unmanaged identities. Legacy identity management systems are not designed to connect natively to many modern IT resources, like SaaS apps, cloud infrastructure, and Mac devices. The identity crisis has been simmering for a decade now, and it’s reaching a boil. This is particularly true now, as the COVID-19 pandemic forced a drastic acceleration in remote work and increased reliance on cloud-based resources. IT administrators around the world are getting overwhelmed and fed up. But here’s the good news: In recent years, there’s been concerted effort to create better identity management solutions for the enterprise.
We’re on the brink of an identity revolution. If you take advantage of it now, you won’t just make life easier for everyone in the IT department — you’ll also get a leg up on the competition because your entire team will be more productive and secure. Now, let’s take a look at key components of the IAM market and assess your current identity management strategy.
CORE PRACTICES
In this section, let’s examine five challenges in modern IAM, as well as practical tools and solutions that exist to address those challenges.
PRACTICE 1: STRENGTHEN SECURITY
Enterprise security once meant simply installing anti-virus software and a firewall. It used to be that easy. Today, security is at least five layers deep, as shown here:
• Network security: Firewalls, intrusion detection/prevention solutions, VPNs, and others
• Device security: Measures to secure servers, desktops, and laptops
• Application security: Measures to secure internal and web applications
• Data security: Measures to secure data at rest and in flight
• Identity security: Foundation of enterprise security
Each layer is integral, but identity security is fundamental. That’s because if a hacker can get credentials, then many other security measures can be bypassed. At that point, the hacker is already “inside” and can do as they please. The good news is that there are steps you can take to significantly bolster identity security.
PRACTICE 2: SECURE ACCESS WITH MFA & CONDITIONAL ACCESS POLICIES
You can take strong measures to verify that users are who they say they are and that they’re accessing only the resources they need to do their jobs.
1. ENFORCE PASSWORD REQUIREMENTS
A high-end computer can now crack an eight-character password in 5.5 hours. (Source: “Password Facts & Tips for Secure Online Presences.” Halock. Accessed Oct. 6, 2020. https://www.halock.com/passwords-fascinating-facts/) Luckily, IT has the ability to implement password requirements. Most experts recommend enforcing a 12-character password requirement — though supporting longer passwords is preferable. Here are some factors to consider for password complexity:
• Set length of password
• Support numbers and characters
• Prohibit password reuse
• Ensure compliance with applicable regulations
It’s also worth taking into account new NIST guidance that stipulates that a longer password is preferred over a shorter but more complex one, as it’s more difficult to crack but easier for users to remember.
Complexity clearly plays a vital role in password security. You can train your users to make passwords of a certain length, but people are just people and they are inevitably beset by password fatigue. For example, a report from LastPass found that 61% of employees reuse passwords despite 91% of them knowing better. (Source: “The Password Exposé.” LastPass. Accessed Oct. 6, 2020. https://lp-cdn.lastpass.com/lporcamedia/document-library/lastpass/pdf/en/LastPassEnterprise-The-Password-Expose-Ebook-v2.pdf)
So, encourage your users to leverage a password manager to ensure that passwords meet stringent complexity requirements and increased length.
2. REQUIRE MULTI-FACTOR AUTHENTICATION
Conventional passwords no longer cut it. Employees are prone to using the same password across multiple sites, and prone to ignoring best password practices. Even if passwords are long and complex, there’s still the possibility of them being stored in insecure ways.
MFA is an easy way to have some extra peace of mind over your business. With MFA, the standard password is supplemented with another form of authentication, be it a TOTP code generated by an app, a hardware security key, or a fingerprint.
This doesn’t make it twice as difficult for hackers. It makes it exponentially more difficult. They not only need something you know, but also something you have. In fact, Google found in a study that MFA via an on-device prompt stopped 100% of automated bots, 99% of bulk phishing attacks, and 90% of targeted attacks on Google accounts. (Source: “New research: How effective is basic account hygiene at preventing hijacking.” Google Security Blog. Accessed Oct. 6, 2020. https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html)
3. ENFORCE CONDITIONAL ACCESS
Set policies to limit user access to organizational data and resources unless they meet certain conditions, such as using a trusted device or accessing via a trusted IP network. If a user isn’t on a trusted device or network, you can either reject their access or require additional authentication, such as MFA, before access is granted.
Here’s the conditional access workflow:
PRACTICE 3: CONFIGURE AND SECURE DEVICES
Another important practice is to configure and secure the devices used to access organizational data. Whether they’re Mac, Windows, or Linux devices, you can take steps to lock them down before users log in. You should extend users’ core identities to their devices so they use the same credentials on their devices as they do to log into their other resources, such as SaaS apps, and you can ensure those credentials are centrally managed and secured.
You can also apply key device security measures such as:
• Enforce full disk encryption
• Set lock screen for 120 seconds or less
• Disable USB mass storage devices
• Disable control panel access/system preferences access
• Disable local guest and administrator accounts
• Default users permissions as standard non-admin/nonsudoer accounts
• Patch devices (and installed applications)
With the right device management solution, you can also unlock security commands (e.g., lock and wipe) to use on remote devices if they’re lost, stolen, or otherwise compromised.
PRACTICE 4: IMPLEMENT REGULAR SECURITY TRAINING
Identities are intrinsically linked to user behavior. When everyone on the team understands the dangers associated with identity sprawl, then everyone is invested in eliminating it and keeping the company secure.
Train employees about password hygiene, including what makes a password secure and why it’s vital to avoid repeating passwords between work and personal accounts. Train employees how to recognize phishing attempts, including emails. Train employees about shadow IT, too, and discourage risky behavior like circumventing IT to create unmanaged accounts. With regular training — once a quarter, for example — you can reduce risky practices and encourage users to help protect your organization and its identities. With the right solution in place, you can also train and enable employees to manage and change their core credentials directly on their devices, which is more secure than email- or formbased methods of managing their identities.
PRACTICE 5: DON’T USE APPS FOR YOUR DIRECTORY SERVICE
Some small startups bypass traditional on-prem directories all together. Instead, they use SaaS-based apps as their core identities.
Using identities from SaaS apps like Google Workspace or M365/Azure Active Directory can be effective for other cloud resources while requiring little investment and maintenance from IT departments.
The only problem with this is that solutions like Google Cloud Identity and Azure AD weren’t built to be truly comprehensive and encompassing directory services. They don’t offer the degree of control required from an identity provider, nor do they connect to a wide variety of IT resources.
Users access far more resources than simply web applications — and they work on a variety of operating systems (Mac, Windows, Linux, etc.). They also need an internet connection, file storage, and access to cloud servers at AWS. Manually adding user profiles to each of these resources is time consuming, prone to human error, and encourages password fatigue. Additionally, IT admins will lack the control they need to centrally enforce security best practices like MFA, increasing the risk of a breach.
PRACTICE 6: USE A CLOUD DIRECTORY PLATFORM
Modern cloud directory platforms are built from the ground up to manage identities and resources across the cloud and on-prem. Google Workspace? Check. Wi-Fi networks? Check. AWS, Salesforce, Slack, GitHub, and more? Check, check, check, and check.
These platforms seamlessly integrate with on-prem and cloudbased IT resources via industry-standard protocols including LDAP, RADIUS, SAML, and SCIM. With this kind of platform in place, one identity can traverse the plethora of apps, devices/systems, files, and infrastructure that modern business requires via these protocols.
They also store identities securely (i.e., one-way hashed and salted) to make it incredibly difficult for credentials to be decrypted.
That way, each user has one authoritative identity to access virtually all their IT resources, and admins centrally manage and secure that identity — all from the cloud.
CONCLUSION
When people look back on the trajectory of the Identity and Access Management space decades from now, they’ll see an inflection point — the moment when identities stopped proliferating out endlessly and began to consolidate again. The future of identities is simpler, more efficient, and more secure.
As more and more resources move to the cloud, there’s no way around the fact that it’s the most efficient way to manage identities.
But what about security? It might seem like the cloud is an easy target, but with correct security practices applied, the opposite is true. So move forward into the new world of cloud identity management with confidence. High costs and insufficient management are in the rear-view. Better security and authoritative identities lie ahead.
