Talk:Identity and access management
Identity and Access Management: Core Practices to Secure Digital Identities
CONTENTS
∙ Introduction ∙ About IAM ∙ Key Components of IAM ∙ Core Practices ∙ Conclusion
Identities have quietly become the most critical digital assets in the modern era. And whether management knows it or not, many of the most crucial conversations they have with IT are really conversations about identities.
A fast-moving, efficient, and secure business orbits around successfully managing your team’s identities — and it always has. But today, there are more high-quality corporate resources to connect to than ever before. This diversification of resources contributes to a fundamental shift in the Identity and Access Management market (IAM). If you’re not keeping up, then you’re putting your company at risk of experiencing breaches, losing productivity, and falling behind the competition.
This document doesn’t just show how the Identity and Access Management landscape is shifting. It also shows you how to shift along with it. It’s a brave new world of IAM — and you can use it to your advantage to move your business forward even faster and more efficiently.
ABOUT IAM
Let’s start by taking a look at everything IT needs to provision access to in the modern era:
• Internal applications: Apps are developed in-house and stored on-premises (or with cloud infrastructure providers).
• Third-party apps (SaaS): These are web apps such as Salesforce, Google Workspace (formerly G Suite), Microsoft 365, GitHub, and Slack.
• Cloud infrastructure: This includes cloud servers from providers like AWS, Azure, and GCP.
• Wi-Fi: The all-important internet.
• Documents and/or files: This includes text files, spreadsheets, PDFs, and reports.
• Devices: This includes devices such as Windows, Mac, and Linux.
For years, IT has tried to use legacy identity management systems to control this jumble of new IT resources, even though that means a proliferation of unmanaged identities. Legacy identity management systems are not designed to connect natively to many modern IT resources, like SaaS apps, cloud infrastructure, and Mac devices. The identity crisis has been simmering for a decade now, and it’s reaching a boil. This is particularly true now, as the COVID-19 pandemic forced a drastic acceleration in remote work and increased reliance on cloud-based resources. IT administrators around the world are getting overwhelmed and fed up. But here’s the good news: In recent years, there’s been concerted effort to create better identity management solutions for the enterprise.
We’re on the brink of an identity revolution. If you take advantage of it now, you won’t just make life easier for everyone in the IT department — you’ll also get a leg up on the competition because your entire team will be more productive and secure. Now, let’s take a look at key components of the IAM market and assess your current identity management strategy.
KEY COMPONENTS OF IDENTITY AND ACCESS MANAGEMENT
1. Directory: Directory services connect users to the IT resources they need. As the core user store, the directory is the foundation of any identity, access, and device management program. There are two primary classifications of directories — the on-premises directory, such as the legacy service Microsoft Active Directory, and the cloud directory platform.
2. Directory extension: Because conventional on-prem directories are ill-equipped to manage many of today’s resources (e.g., Mac, Linux, SaaS, IaaS), a whole category of solutions has been created to extend credentials to other platforms and locations.
3. SSO: Single sign-on solutions strive to consolidate the plethora of web application accounts and resources into one login process via the web browser. This category is also known as first-generation IDaaS (Identity-as-a-Service).
4. Privileged account management: Some directories don’t provide sufficient security or management of critical systems like databases and network infrastructure. Privileged account management has sprung up to fill the void. These systems provide more stringent access controls, including the ability to manage systems and tightly control access to high-value IT resources.
5. Password managers/vaults: End users need to remember so many passwords that a category of solutions has emerged to help. Password vaults store the passwords to your websites and can generate secure passwords for you.
6. Multi-factor Authentication (MFA or 2FA): Passwords are an imperfect form of identity protection. To prevent the breach of high-value resources, a second method of authentication is essential.
CORE PRACTICES
In this section, let’s examine five challenges in modern IAM, as well as practical tools and solutions that exist to address those challenges.
CHALLENGE 1: VULNERABLE IDENTITIES
Credential theft drives breaches — but everyone likes to say, “It will never happen to me.” However, more than one in four data breach victims last year were small businesses. (Source: “2020 Data Breach Investigations Report.” Verizon. Accessed Oct. 6, 2020. https://enterprise.verizon.com/resources/reports/2020/2020-data-breachinvestigations-report.pdf)
Clearly, greater security and stronger authentication are paramount for every organization, large or small. These are some steps you can take to fortify your identities:
• Enforce strong identity controls, including strict password requirements.
• Require multi-factor authentication on devices, applications, and other high-value access points.
• Train employees to use strong, unique passwords, and train them to recognize phishing attempts.
• Encourage users to implement a password manager.
We’ll discuss these steps in greater detail in the Practices sections.
CHALLENGE 2: IDENTITY SPRAWL
Think about all the accounts and passwords the average person has today: email, social media, banking, and on and on. The average internet user has a whopping 150 online accounts — and growing.
This is called identity sprawl, and it’s even worse at workplaces where you have to factor in a variety of internal and SaaS-based apps. Users have a different account for Slack, M365, Salesforce, GitHub, Google Workplace, and more. Aside from being a headache from a compliance perspective, identity sprawl hurts companies in two big ways:
1. IDENTITY SPRAWL DECREASES SECURITY
Identity sprawl creates a chaotic environment that is difficult to secure. When an employee leaves, instead of being able to deprovision access to all resources with one click, IT must be meticulous and deprovision access individually for each resource. One mistake, one oversight, and someone has access who shouldn’t. To hackers, identity sprawl looks a lot like opportunity.
"People average 150 accounts, but only 5 passwords." — Telesign
2. DECENTRALIZED IDENTITIES REDUCE EFFICIENCY
At the user level, identity sprawl leads users to spend more time logging in and to reuse their passwords (and to ring the help desk when they inevitably can’t remember which password goes to which account). LastPass even discovered that the average user ends up wasting 36 minutes a month just on typing passwords. (Source: “The Password Exposé.” LastPass. Accessed Oct. 6, 2020. https://lp-cdn.lastpass.com/lporcamedia/document-library/lastpass/pdf/en/LastPassEnterprise-The-Password-Expose-Ebook-v2.pdf)
On the admin side, it’s even worse. IT loses centralized control.
They make a change in the central user directory, and it ends up propagating to only some IT resources. This requires admins to keep track of which resources require separate control.
The solution is to consolidate identities, but our next challenge — legacy IAM solutions — is a major roadblock toward that goal.
CHALLENGE 3: LEGACY IDENTITY MANAGEMENT SOLUTIONS
Microsoft Active Directory has served valiantly as a core identity provider since its release with Windows 2000. It earned an early stronghold on the market that’s still in place, but a lot has changed since 1999. In fact, the dominance of Microsoft AD is the single biggest reason for identity sprawl. AD doesn’t effectively manage devices that don’t run Windows — and the number of Mac and Linux devices has been on the uptick year after year.
AD is also poorly equipped to authenticate SaaS-based identities and other cloud resources. The result is a multiplicity of unmanaged identities. So identity sprawl stems directly from companies where the IT department’s hands are tied because they still have to use AD.
The other major legacy directory in place at companies is OpenLDAP.
LDAP is better with Linux and Unix systems than AD, but it has the same difficulties managing cloud infrastructure. Furthermore, OpenLDAP is partial to LDAP, and so other ascendent protocols like SAML, OAuth, and the re-emerged RADIUS are out of reach. Same with the ability to manage Windows and Mac devices.
Ultimately, as long as these legacy systems continue to lock companies into their identity management solutions, IT will be unable to keep up with the changing identity landscape.
CHALLENGE 4: SHADOW IT
Shadow IT refers to systems and solutions implemented inside organizations without the IT department’s knowledge or approval.
Shadow IT is:
• Widespread — 80% of workers use non-permitted SaaS apps. Check out this case study to learn more.
• Risky — More than 1 in 4 shadow IT apps is high-risk. Check out this case study to learn more.
• Expensive — Shadow IT accounts for 30-40% of IT spend.
Check out this case study to learn more.
In other words, shadow IT is a major factor contributing to the identity crisis that IT faces today. Whether it's for collaboration, communication, or the transfer of files, shadow IT means more unmanaged identities.
Ultimately, you likely can’t eliminate shadow IT all together. The approach to mitigate it involves training employees about shadow IT and eliminating the need for shadow IT by improving your IT infrastructure to better accommodate and manage the types of apps and IT resources that are likely to be implemented by rogue innovators.
CHALLENGE 5: VENDOR LOCK-IN
The market to manage your identities has never been so competitive.
As a result, one of the more subtle factors working against identity management is vendor lock-in. This refers to all of the companies that are trying to woo you and your organization into using their platforms (often for free) so that you become dependent on their services. Eventually, this means they can lock you into paying for their other services. As TechBeacon put it, once you’re locked in, “it can be hard to port to another vendor’s platform without considerable effort and cost”. (Source: Vijayan, Jaikumar. “Serverless vendor lock-in: Should you be worried?” TechBeacon. Accessed Oct. 6, 2020. https://techbeacon.com/enterprise-it/serverless-vendor-lock-should-you-be-worried)
Microsoft, Google, Amazon — they all know that if they lock up your corporate identities now, you’ll be beholden to them later. These are savvy businesses. Why do you think that they offer so many valuable services for free?
For them, storing your identities (on their infrastructure) means additional revenue elsewhere and locking you into their ecosystem.
For Microsoft, it’s Windows, M365, and Azure. For Google, it’s Google Workspace, Chrome/Android, and Google Cloud Platform. For Amazon, it’s AWS and buying goods and services. They design their infrastructures to be funnels — funnels that eventually guide you to paying for their services and excluding alternatives.
Don’t be a pawn in another player’s game. Understand that your identities are perceived as long-term corporate assets and protect them.
PRACTICE 1: STRENGTHEN SECURITY
Enterprise security once meant simply installing anti-virus software and a firewall. It used to be that easy. Today, security is at least five layers deep, as shown here:
• Network security: Firewalls, intrusion detection/prevention solutions, VPNs, and others
• Device security: Measures to secure servers, desktops, and laptops
• Application security: Measures to secure internal and web applications
• Data security: Measures to secure data at rest and in flight
• Identity security: Foundation of enterprise security
Each layer is integral, but identity security is fundamental. That’s because if a hacker can get credentials, then many other security measures can be bypassed. At that point, the hacker is already “inside” and can do as they please. The good news is that there are steps you can take to significantly bolster identity security.
PRACTICE 2: SECURE ACCESS WITH MFA & CONDITIONAL ACCESS POLICIES
You can take strong measures to verify that users are who they say they are and that they’re accessing only the resources they need to do their jobs.
1. ENFORCE PASSWORD REQUIREMENTS
A high-end computer can now crack an eight-character password in 5.5 hours. (Source: “Password Facts & Tips for Secure Online Presences.” Halock. Accessed Oct. 6, 2020. https://www.halock.com/passwords-fascinating-facts/) Luckily, IT has the ability to implement password requirements. Most experts recommend enforcing a 12-character password requirement — though supporting longer passwords is preferable. Here are some factors to consider for password complexity:
• Set length of password
• Support numbers and characters
• Prohibit password reuse
• Ensure compliance with applicable regulations
It’s also worth taking into account new NIST guidance that stipulates that a longer password is preferred over a shorter but more complex one, as it’s more difficult to crack but easier for users to remember.
Complexity clearly plays a vital role in password security. You can train your users to make passwords of a certain length, but people are just people and they are inevitably beset by password fatigue. For example, a report from LastPass found that 61% of employees reuse passwords despite 91% of them knowing better. (Source: “The Password Exposé.” LastPass. Accessed Oct. 6, 2020. https://lp-cdn.lastpass.com/lporcamedia/document-library/lastpass/pdf/en/LastPassEnterprise-The-Password-Expose-Ebook-v2.pdf)
So, encourage your users to leverage a password manager to ensure that passwords meet stringent complexity requirements and increased length.
2. REQUIRE MULTI-FACTOR AUTHENTICATION
Conventional passwords no longer cut it. Employees are prone to using the same password across multiple sites, and prone to ignoring best password practices. Even if passwords are long and complex, there’s still the possibility of them being stored in insecure ways.
MFA is an easy way to have some extra peace of mind over your business. With MFA, the standard password is supplemented with another form of authentication, be it a TOTP code generated by an app, a hardware security key, or a fingerprint.
This doesn’t make it twice as difficult for hackers. It makes it exponentially more difficult. They not only need something you know, but also something you have. In fact, Google found in a study that MFA via an on-device prompt stopped 100% of automated bots, 99% of bulk phishing attacks, and 90% of targeted attacks on Google accounts. (Source: “New research: How effective is basic account hygiene at preventing hijacking.” Google Security Blog. Accessed Oct. 6, 2020. https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html)
3. ENFORCE CONDITIONAL ACCESS
Set policies to limit user access to organizational data and resources unless they meet certain conditions, such as using a trusted device or accessing via a trusted IP network. If a user isn’t on a trusted device or network, you can either reject their access or require additional authentication, such as MFA, before access is granted.
Here’s the conditional access workflow:
PRACTICE 3: CONFIGURE AND SECURE DEVICES
Another important practice is to configure and secure the devices used to access organizational data. Whether they’re Mac, Windows, or Linux devices, you can take steps to lock them down before users log in. You should extend users’ core identities to their devices so they use the same credentials on their devices as they do to log into their other resources, such as SaaS apps, and you can ensure those credentials are centrally managed and secured.
You can also apply key device security measures such as:
• Enforce full disk encryption
• Set lock screen for 120 seconds or less
• Disable USB mass storage devices
• Disable control panel access/system preferences access
• Disable local guest and administrator accounts
• Default users permissions as standard non-admin/nonsudoer accounts
• Patch devices (and installed applications)
With the right device management solution, you can also unlock security commands (e.g., lock and wipe) to use on remote devices if they’re lost, stolen, or otherwise compromised.
PRACTICE 4: IMPLEMENT REGULAR SECURITY TRAINING
Identities are intrinsically linked to user behavior. When everyone on the team understands the dangers associated with identity sprawl, then everyone is invested in eliminating it and keeping the company secure.
Train employees about password hygiene, including what makes a password secure and why it’s vital to avoid repeating passwords between work and personal accounts. Train employees how to recognize phishing attempts, including emails. Train employees about shadow IT, too, and discourage risky behavior like circumventing IT to create unmanaged accounts. With regular training — once a quarter, for example — you can reduce risky practices and encourage users to help protect your organization and its identities. With the right solution in place, you can also train and enable employees to manage and change their core credentials directly on their devices, which is more secure than email- or formbased methods of managing their identities.
PRACTICE 5: DON’T USE APPS FOR YOUR DIRECTORY SERVICE
Some small startups bypass traditional on-prem directories all together. Instead, they use SaaS-based apps as their core identities.
Using identities from SaaS apps like Google Workspace or M365/Azure Active Directory can be effective for other cloud resources while requiring little investment and maintenance from IT departments.
The only problem with this is that solutions like Google Cloud Identity and Azure AD weren’t built to be truly comprehensive and encompassing directory services. They don’t offer the degree of control required from an identity provider, nor do they connect to a wide variety of IT resources.
Users access far more resources than simply web applications — and they work on a variety of operating systems (Mac, Windows, Linux, etc.). They also need an internet connection, file storage, and access to cloud servers at AWS. Manually adding user profiles to each of these resources is time consuming, prone to human error, and encourages password fatigue. Additionally, IT admins will lack the control they need to centrally enforce security best practices like MFA, increasing the risk of a breach.
PRACTICE 6: USE A CLOUD DIRECTORY PLATFORM
Modern cloud directory platforms are built from the ground up to manage identities and resources across the cloud and on-prem. Google Workspace? Check. Wi-Fi networks? Check. AWS, Salesforce, Slack, GitHub, and more? Check, check, check, and check.
These platforms seamlessly integrate with on-prem and cloudbased IT resources via industry-standard protocols including LDAP, RADIUS, SAML, and SCIM. With this kind of platform in place, one identity can traverse the plethora of apps, devices/systems, files, and infrastructure that modern business requires via these protocols.
They also store identities securely (i.e., one-way hashed and salted) to make it incredibly difficult for credentials to be decrypted.
That way, each user has one authoritative identity to access virtually all their IT resources, and admins centrally manage and secure that identity — all from the cloud.
CONCLUSION
When people look back on the trajectory of the Identity and Access Management space decades from now, they’ll see an inflection point — the moment when identities stopped proliferating out endlessly and began to consolidate again. The future of identities is simpler, more efficient, and more secure.
As more and more resources move to the cloud, there’s no way around the fact that it’s the most efficient way to manage identities.
But what about security? It might seem like the cloud is an easy target, but with correct security practices applied, the opposite is true. So move forward into the new world of cloud identity management with confidence. High costs and insufficient management are in the rear-view. Better security and authoritative identities lie ahead.