In the first post of this series we discussed why an organization may be considering implementing an identity and access management solution (IAM). There are clear benefits that a strong, flexible IAM solution can offer around increasing security, validating users, consolidating application access, and enabling compliance with regulations.
When looking at IAM solutions and implementations it is important to consider WHO needs to validated and WHAT needs to have access controls around it. The most comprehensive IAM solutions that are offered help organizations manage all of their applications and enforced strong authentication where needed under appropriate access policies.
When considering the question of WHO, you need to think of your users – from the CEO to the IT administrator and down to the receptionist, we are all users of corporate resources, and we are the biggest security hole in a network.
Users are also the most demanding and difficult component of an infrastructure to manage. We want quick and easy access to our systems and information no matter where we are. This is both a blessing and a curse. The security team of an organization must balance convenience with security and this can be a daunting task. So consider who the users are in your organization, are they all internal users? Do you use out-sourced contractors? Do you have remote offices? Do you have workers that travel? Do you need to block access from certain types of users? Have you already implemented a single sign on (SSO) solution and is it secure?
Understanding who your users are will help you consider what type of access controls that you need to have in place. While users desire an SSO experience – where they enter their credentials once and then have access to everything – you should look for a solution that enables you to set access policies against specific groups of users. Standard SSO solutions are still a risk if the users’ credentials become compromised and effectively this is an easy entry point for hackers into the corporate environment.
The solution that you choose to implement should empower you to increase or relax the authorization/authentication needed for access. The type of authentication needed when a user is inside a corporate environment may be different than the authentication needed when outside of the network, but we’ll talk more about types of authentication when we get to the HOW section of this series.
The solution you deploy should have policies that are configurable for exceptions, risk evaluation, exclusion, and restriction so that you can address the various business use cases that you need to address. Look for a solution that has the flexibility to be adjusted quickly and easily. By implementing this type of solution you will be able to limit the administrative overhead in maintaining a complex environment.
Once you have thought about WHO is accessing resources in your environment you need to think about WHAT they are accessing.
Many organizations have a hybrid mix of applications and resources that are critical to business operations. Managing and maintaining security policies and user credentials for each can be daunting. It’s important to consider the makeup of you infrastructure. What do you need to protect? What are you protecting today? Do you have cloud applications? Are you still using a VPN? Does the organization leverage VDI solutions? Do you have legacy custom applications? Do you have a web portal for users?
In ‘the good ole’ days’ the concern was focused on locking down the corporate infrastructure and putting everything in a secure physical server farm allowing access only within the corporate network. If you were working from home you would need to remote into the network over a secure connection that would generally require multi-factor authentication.
Now, with hybrid environments there is a mix of cloud applications and on premise applications that all need to be secured. The IAM solution that you deploy should be versatile enough to enable you to integrate all your applications and extend access controls and authentication to applications that can’t natively support them. Many of these cloud application support SAML authentication, the IAM platform you deploy should have SAML as an integration point to ensure easy deployment.
What you may find is that layering a strong IAM solution with a Next Generation Firewall or Application Control Appliance will offer you the best protection. The solution that you select should be able to complement your existing environment without requiring you to rip and replace.
Ideally the IAM solution selected should enable you to pull all of your applications into one management platform and allow you to apply policies based on your business needs. A solution that is flexible should permit you to extend access policies against specific applications or the entire environment. The solution should provide you with consolidated reports for compliance audits showing WHO access WHAT in your environment. Having everything centrally managed means that there is less overhead in implementing the solution and provides the ability to make adjustments quickly and easily across your entire infrastructure.
Just as important as WHO and WHAT you are trying to protect is considering WHERE access attempts are coming from and WHEN you need to have a solution implemented. We’ll explore these in Part #3.
Learn how Gemalto’s access management solutions can help augment your existing infrastructure without needing to rip and replace and how you can easily add access controls and strong authentication with our SafeNet Trusted Access solution.