In the past few years, we have seen a significant migration in most industries to a dispersed, work-from-home environment. Fewer employees come into the office, holding virtual meetings instead, yet the pace of business has not slowed.
Simultaneously, more and more business systems are supplied in a Software-as-a-Service (SaaS) model. This fulfillment means the organization pays a subscription fee to access software rather than buying the software and running it on company-owned IT infrastructure.
Employees also have more and more accounts; more usernames and passwords to remember. This shift makes it more difficult for organizations and their employees to control Identity and Access Management.
When an employee is working from home, can they sign-in to their company email from a personal computer? Likewise, what company data can users access from a hotel lobby computer?
If an employee leaves an organization, does anyone have a list of all the employee’s accounts? Can their access to internal systems be quickly disabled?
Do employees have so many different usernames and passwords that they must write down or use the same passwords across multiple services?
Defining Identity and Access Management
Identity and Access Management (IAM) enables organizations to answer these questions positively, so let us first examine Identity.
Identity refers to each employee’s digital identity within an organization; in most cases, this is one or many usernames. An employee likely has some of the following identities:
- Active Directory account (used to sign-on to their corporate computer)
- Office 365 account (Outlook, Teams, SharePoint, etc.)
- Line of business (LOB) applications
- Electronic medical records (EMR)
- Accounting systems
- iOS or Android accounts
Ideally, each employee should have a single corporate identity that uniquely identifies them. But in reality, we all have several accounts that identify us to different parts of an organization. Often, merely remembering all of these accounts is difficult, so how do we know they are secure?
Enter Single Sign-On (SSO). SSO enables each employee to have a single corporate identity, using it to access the corporate network, email, Salesforce, and beyond with only one account.
There is a wide variety of SSO solutions, but Kalleo Technologies recommends Azure AD since Microsoft has already integrated Azure AD in Office 365.
Azure AD SSO enables each employee to have a single corporate identity, one account. The same username and password used to sign-in to their computer can also sign-in to Zoom. When the password is changed, it is changed once for all systems. If an employee leaves the organization, it must only disable a single account.
Now that we have created one master account with access to everything, how do we make sure it is secure?
The answer is Access Management and cloud-based IT systems that allow sign-on from anywhere in the world on any device. This capability has tremendous power – and immense risk too.
Security and Access Management
Good security practice, like well-configured Access Management, is deployed in layers. A password is a form of Access Management in that it restricts access only to those who know the password. Unfortunately, a password by itself is not very secure. If you re-use the same password across multiple services and any of those services get breached, the breach exposes your passwords very often.
The next protection layer in Access Management is Multi-Factor Authentication (MFA), also called Two-Factor Authentication.
When you authenticate (sign-in), you provide your password as the first factor; this is “something you know.” The second factor is a 6-digit code sent to your phone; “something you have.” Combining something you know (password) and something you have (your phone) adds a strong layer of security to your account. Even if a malicious attacker knows your password, they must also have your phone to access your account.
In some cases, organizations may wish to have further access control. MFA provides robust protection from external threats, but what about internal threats? Internal threats can range from malicious insiders trying to steal company data to an employee using a friend’s computer to check their work email.
The next layer of Access Management could be blocking all sign-in attempts based on geographical location. For example, if you do not expect employees to sign-in from Russia, block sign-ins from Russia. Access control can also be based on device type. With a Mobile Device Management (MDM) solution like Microsoft Intune, an organization could, for example, block sign-in attempts from devices (Laptops, smartphones, etc.) that are not company-owned.
Identity and Access Management is all about making sure the right people have the proper access in the right ways.
The specific needs of each organization can vary significantly. Yet almost every organization needs to manage identities and manage the access those accounts have.
If you would like to learn more about how Identity and Access Management can help your organization, please let us know!
Article Written by Greg Sneed / Senior Solutions Engineer / Kalleo Technologies