In today's fast-moving world of technology, security risks have grown more complex. Many organisations find themselves struggling to give users fast and effortless access to an ever-increasing number of applications, while at the same time they must work to counteract more frequent and sophisticated cyber-attacks. In cartoon format, it's as if every IT security manager has a frustrated business user on one shoulder shouting “convenience” (easy access now!) and a CISO on the other shoulder shouting “control” (lock everything down tight!).
All humour aside, these diametrically opposing forces are being felt by everyone in IT security today, and especially by identity and access management (IAM) professionals.
The case for convenience
Controlling user access has become more challenging with each passing year. Today's workers want anytime, anywhere access, and not just from PC's and laptops, but also from mobile phones and tablets. Users now want the same convenience and flexibility they get with smart devices when they need to access corporate applications. And people require access to an increasing number of digital assets, both corporate and personal. These assets commonly include a mix of cloud applications such as Salesforce, Workday, and Microsoft or Google Apps; social applications such as Facebook, LinkedIn, and Twitter; web applications such as portals and intranets; and traditional on-premises applications (yes, even mainframe apps are still widely in use by many of our customers).
While corporate security would prefer to mandate strong passwords for every corporate application, maintaining separate passwords and authenticating access for each application can be very frustrating for end-users. And it's not just a matter of inconvenience; it's also a matter of productivity. Every minute that a user has to spend retrieving a lost password or having the help desk reset a password is an unproductive minute – and when you multiply the growing number of applications by the amount of time wasted, the high price of inconvenience becomes pretty clear. Clearly, what users want is seamless access to all of the resources they need without the need to constantly re-authenticate – hence the popularity of Single Sign-on (SSO) solutions.
The urgency of addressing cyber-risk
While end-user demands for convenience have never been higher, the need to maintain strong access controls has never been more critical – or more complex. Today's IT security staff must grapple with the explosion of cloud and mobile applications layered on top of the organisation's traditional on-premises applications. They must also manage and enable a globally distributed workforce and partner ecosystem that blurs the lines between employees, contractors, partners, and sometimes, even customers.
To make matters worse, it is no longer enough to focus on defending the organisation's network perimeter. As recent security attacks demonstrate, it is becoming more common for legitimate identities to become the attack vector for cyber-criminals. Instead of targeting networks and application infrastructures, hackers are now exploiting identities to gain access to sensitive systems and data. In the past three years, there have been numerous data breaches caused by cyber-thieves obtaining the identity credentials of employees (usually via phishing), using them to accessing internal networks, and stealing sensitive customer and financial data.
Is single sign-on the answer?
Single sign-on is a method of access control that allows users to login once and gain access to a variety of applications. Instead of having to remember multiple passwords for various systems, users can gain access to many applications with a single password. SSO has many benefits. It makes it easier for users to remember their username and password combinations and less likely to write them down on sticky notes. It also improves productivity by reducing the time users spend entering passwords and the number of incidents where workers are locked out and must get help to reset their passwords.
While Single Sign-on does enhance convenience and user productivity, it comes with a few security risks of its own. There are inherent risks when a single username/password combination unlocks all the resources employees can access. If cyber-thieves obtain that employee's credentials, they will be able to access all of the resources that the employee can. And without enforcement of strong password policies, SSO could make a user's accounts more susceptible to breaches by making more sensitive accounts as easy to access as less sensitive accounts.
Perhaps the biggest security risk of all, however, is the temptation to treat SSO as a panacea – to mistakenly think that SSO is a one-stop solution for all IAM needs. In fact, SSO solutions are not designed to provide the complete set of controls required to secure the enterprise. SSO is one tool in the IAM toolbox, but one that is more focused on convenience than control.
Identity governance – balancing convenience with control
In order to balance SSO's convenience with the proper level of controls, organisations need to complement SSO with robust identity governance solutions. Identity governance provides the right preventive and detective controls required to control access and identify and remediate security issues.
Some of the key functionality that identity governance provides to complement and strengthen SSO includes:
- User provisioning: to automate defined processes for granting, changing, and removing user access privileges.
- Policy management: to help strengthen passwords across all applications and to enforce unwanted “toxic combinations” of access privileges.
- Self-service Password Management: to allow end-users to manage their own credentials, anytime, anywhere, without having to involve the help desk.
- Access certifications: to ensure that user access is appropriate, conforms to policy, and meets audit and compliance requirements.
With Identity governance, organisations can confidently deploy SSO knowing that appropriate preventive controls are in place. By providing fine-grained provisioning based on defined policies and roles, identity governance ensures that users have access to only the minimum resources they need (“least privilege”). When users are terminated, access privileges are automatically revoked not only on the SSO system, but on the target resources and importantly, those applications that are not tied into the SSO solution (rarely are all apps tied into an SSO solution). Identity governance also provides password management to enable the organisation to enforce regular password changes, password strength, and control password reuse across all applications.
Identity governance also provides critical detective controls that allow an organisation to review and monitor user access for anomalies that need further investigation. It is not enough to simply define access controls and forget about them. Too many factors in the environment are constantly changing (users, applications, directories, etc), and sometimes policies and procedures are not followed to the letter. Detective controls allow organisations to identify and rectify problems before they lead to a catastrophic breach. Examples of detective controls include periodic review of access by supervisors and data owners. Every organisation benefits from detection of situations like a fired employee whose privileges were removed from the SSO system, but who still has access to applications from his home computer.
Striking the elusive balance
Like it or not, the days of “locking down” technology environments – and banning personal tools and devices – are over. Partnering with business colleagues to deliver convenience, service, and value is an important goal for today's IT security team. However, as the environment becomes more open and the technology mix becomes more complex, it has never been more critical to implement identity governance with strong controls to mitigate the associated risks.
A balanced IAM strategy will allow organisations to deploy SSO to address business users' convenience needs, while using an identity governance foundation to strengthen security and meet compliance and risk management goals. By embedding identity governance policy and controls throughout all IAM processes, organisations can achieve a healthy, sustainable balance between convenience and control.Contributed by Kevin Cunningham, president, SailPoint
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.