Established in 2021 in partnership with the National Cybersecurity Alliance, Identity Management Day is a date set aside to educate individuals and organisations on: (1) the dangers of improperly managing and securing digital identities, and (2) the best practices in Identity that inspire people to act.
Our online behaviors matter, whether acting as consumers, employees, leaders, or partners. On this second Tuesday of April, we take the occasion as a chance to evaluate our part as the first line of defense in our digital ecosystem. For example, reusing a password or clicking on a suspicious link doesn’t just wreak havoc to our individual lives but is also an opportunity for a cyber attacker to get a foot in the door of our corporate network.
Thankfully, Identity breaches are ubiquitous yet preventable, whether you are an individual, a small enterprise, a government office, or a Fortune 500 company.
Why is Identity and Access Management Important
Identity Management (IdM) / Identity and Access Management (IAM) ensures that authorised people – and only authorised people – can have access to the technology they need to perform their job functions. It includes policies and technologies that encompass an organisation-wide process that identifies, authenticates, and allows groups of people or software apps through attributes that include user access rights and restrictions based on their identities.
An IdM/IAM system:
- Prevents unofficial access to systems and resources;
- Prevents exfiltration of enterprise or protected data;
- Raises alarms when access attempts are made by uncertified personnel or programmes, whether from inside or outside the enterprise perimeter.
IdM/IAM solutions protect not just software and data access but also hardware resources in an enterprise (such as networks, servers, and storage devices) from rogue access. It has gained importance over the past 10 years due to the growing number of global regulatory compliance and governance mandates that seek to protect sensitive data from exposure of any kind. The process of IdM/IAM comes with systems that are generally part of IT security and IT data management within the enterprise, and its tools are widely available for the broad range of devices that users rely on to perform business functions, from mobile devices to desktop computers running Windows, Linux, iOS, or Android.
Why do we need Identity Management?
A recent study by the International Information System Security Certification Consortium (ISC)² found that 80% of breaches were due to Identity access issues, namely feeble or mismanaged credentials. If proper controls are not in place, passwords could become compromised, phishing attacks enabled, and ransomware attacks or other types of breaches could become reality. Fortunately, modern IAM platforms offer automation to help ensure controls are utilised, such as removing a user from the directory when the HR system indicates an employee has left the company.
Since new privacy and data secrecy legislation is so frequently created, IAM can play another important role, that of: (1) helping an organisation stay in compliance with the myriad of governance and regulatory mandates in effect; and (2) ensuring that only approved users have access to data.
A solid IAM strategy is a critical component of overall IT security and offers a first line of protection to any threat, whether from outside or inside the firewall. In the end, IT security is largely about access.
What are the business benefits of Identity Management (IdM)?
The ability to successfully protect assets can have a direct bottom line impact on the value of an organisation. IAM accelerates the time to value for anyone who needs access to enterprise resources to perform their job, often spending the time between onboarding a new employee until they have access to system resources.
Aside from providing an enhanced business value through improved security, there are other tangible business benefits. Automation of IAM tasks frees up IT for bottom-line focused projects, and self-service IdM tools improve the overall productivity of employees, contractors, and other users who access corporate resources.
Implementing an overall IAM framework can provide opportunities for growth, by improving scalability of those services critical to onboarding new users, and that reduction of IT manpower translates to a better ROI (Return on Investment) for the IT organisation as a whole.
IAM has become the foundation for all these business benefits and continues to protect the enterprise from threats that could lead to data theft, malevolent attacks, or exposing sensitive customer, corporate, or legal information.
What is the difference between IAM and IdM?
IAM is a security and business discipline that includes various technologies and processes to enable people and machines to access the assets needed at the right time and for official reasons, while keeping fraud and unauthorised access at bay.
While IdM and IAM are terms often used interchangeably, IdM is more focused on a user identity (or username), and the roles, permissions, and groups that user belongs to. IdM also focuses on protecting identities through a variety of technologies such as passwords, biometrics, Multi-Factor Authentication (MFA), and other digital identities. This is usually achieved by the adoption of IdM software applications and platforms.
What is Access Management?
Access Management is the authentication of an identity that is asking for access to a particular resource, and access decisions are simply the Yes or No decision to grant that access. This can be a tiered process, with access services that determine whether a user is authorised for any access on the network at all, and lower tiers that authenticate where the identity in question should be granted access to specific servers, drives, folders, files, and applications.
Remember that Authentication is not the same thing as Authorisation. Although an identity (user) may be authorised to be on the corporate network and has an account in the directory, that does not automatically grant that identity the ability to access every application enterprise-wide. Authorisation for any given application or resource will be determined by the identity’s attributes, such as which group(s) it belongs to, its level in the organisation, or a specific role that was previously assigned.
As with authentication, the granting of authorisation can occur in multiple tiers within the organisation, for example both as a centralised service and again locally for a given application or resource, although authenticating at the resource or service level is frowned upon as central authentication provides more consistent control.
What is the difference between IDENTITY Management and ACCESS Management?
IDENTITY management is all about managing the attributes related to the USER, group of users, or other identity that may require access from time to time.
ACCESS management is all about evaluating those attributes based on existing policies and making a Yes or No access decision based upon those attributes.
Identity and Access Management Features
Most access management solutions support functionality to protect against user impersonation and credential theft. With MFA, a user must present multiple forms of evidence to gain access to an application or system, for example, a password and a one-time, short-lived SMS code.
Authentication factors include:
- Knowledge – information which the user knows of, such as a password or an answer to a security question
- Possession – what the user has, such as a mobile device or proximity badge
- Inherence – biological features unique to the user such as a fingerprint or facial characteristics
- Location – the user’s geographic position
Access Management aims to grant authorised users the right to use a service, while preventing access to non-authorised users. This Information Technology Infrastructure Library (ITIL) process essentially executes policies defined in Information Security Management. Access Management is sometimes also referred to as 'Rights Management' or 'Identity Management'.
Identity and Access Management Best Practices
With 84% of organisations experiencing an Identity-related breach in the last year, it’s becoming a must to be Cyber Smart by being Identity Smart. But what does that really mean for you, and what are the actionable steps you can take?
As a Security Leader
You are well-advised to prioritise Identity as a top priority in your security program; discuss with your Board the risks that come with your organisation’s failure to address Identity security vulnerabilities. Think of Identity as the first line of your cybersecurity defense. In culmination, strengthen the cybersecurity culture in your organisation. Speak often about its best practices and their importance.
As a Security Practitioner
Prioritise IdM vulnerability assessments and closing security gaps. Get to know what you have, what’s sensitive, and protect it. Focus on security outcomes. Automate, automate, automate.
As an Individual
Practise good Identity hygiene – create strong passwords, use a password manager, and never share or reuse them. Recognise and report phishing. Keep your software up to date and enable MFA at home and at work.
User Authentication for Identity Smart Organisations
Towards making the application of IAM best practices standard for your organisation, GlobalSign offers solutions that enable individuals and groups to be Identity Smart.
Strong authentication lets the right people and devices in and keeps the wrong ones out. GlobalSign's strong authentication solutions utilise Digital Certificates for convenient and secure certificate-based and token-based two-factor authentication (2FA) for the protection of enterprise networks, data, and applications, including:
Machine and Server Authentication
Your organisation enables only machines and users with the appropriate credentials to access, communicate, and operate on corporate networks, and this is accomplished via the implementation of certificate-based authentication.
GlobalSign's Auto Enrollment Gateway (AEG) offers organisations an easy and cost-effective way to deploy and manage Digital Certificates for machine and server authentication. It serves as a connector between an organisation's Windows environment and GlobalSign as an issuing Certificate Authority.
Enterprises can leverage the registry information stored in Active Directory to auto-issue template-based and optionally configured certificates to all machines and servers residing within domain/s or in forest configuration/s. The benefits of GlobalSign’s machine authentication solution include the following:
- It prevents malicious machines from accessing corporate networks and resources.
- It identifies which machines and servers have access to various networks.
- It allows mutual authentication between machines.
- It is cost-effective and scalable for organisations of all sizes.
- Its Active Directory integration allows for automatic enrollment and issuance of certificates.
Mobile Device Management via Public Key Infrastructure (PKI)
In many respects, mobile devices are just like offsite PCs when it comes to requiring strong authentication for enterprise networks, e.g., WiFi, VPNs. Certificate-based authentication via GlobalSign’s Managed PKI Platform provides a convenient and resource-efficient solution that allows organisations to balance the need to protect from unauthorised access with employee desires to access corporate data and communications on the go.
Between set-up costs, maintenance, training, and compliance, managing PKI is not something you can afford to get wrong. AEG gives you access to GlobalSign’s team of PKI experts to act as an extension of your team and through automation frees up your time for other tasks. So, if your company is using Active Directory to manage network users, devices and machines, AEG can manage your PKI – it’s that simple.
For decades, organisations have been enhancing mobile security with PKI. To those unfamiliar, this is a known and trusted security technology that authenticates users, machines, and servers within organisations.
PKI can be used on mobile devices for:
- Email Encryption and Signing – Ensure privacy of sensitive info and get proof of authorship/message origin by encrypting and digitally signing emails via devices.
- Email Authentication – Enable authorised devices to access your corporate email servers without being vulnerable to intruders through email authentication (with 24 x 7 email access!)
- VPN and WiFi Authentication – Only approved devices can access your enterprise connections with MFA for corporate WiFi and VPN connections – massively better than using weak and vulnerable usernames and passwords!
Benefits of Mobile Device Management (MDM)
- Only verified users get access to corporate resources
- Quick, cost-effective set up doesn't need extensive IT support
- Set up is non-intrusive and convenient for the end user
- Easily issue, renew, and revoke from one GlobalSign portal
- Compatible with popular MDM/EMM platforms like Microsoft Intune, AirWatch, and MobileIron Cloud or Core
- Works with both BYOD (Bring Your Own Device) or corporate-owned
Control Access to Private Networks and Add Security to Cloud Services
As recent highly publicised breaches indicate, organisations can no longer rely on passwords alone to protect sensitive data and resources stored in the cloud. As the corporate perimeter expands, protecting high stakes data residing within the private network has become increasingly imperative, so much that identifying which users have access to their corresponding set of resources only partially addresses the security challenge. On top of this, the shift to cloud services comes with additional security considerations... good thing that they’re something that 2FA (via Digital Certificates) can address.
Effecting strong authentication via GlobalSign’s Managed PKI platform provides organisations an easy, cost-efficient method to implement 2FA for internal access to resources by users and machines, as well as external access by remote users.
Benefits of GlobalSign's Authentication (Cloud Services and Private Networks)
- Provides additional layer of security - stronger than passwords alone Prevents unauthorised access and enhances current security
- Minimal involvement required from the end user after certificate is installed
- No tokens or other additional hardware needed
- Seamless experience for end user: Certificates are easily managed in GlobalSign's Managed PKI platform - issue, renew, and revoke from one portal
- The same certificate can be installed across multiple devices
- Cost-effective and easily scaled to meet high volume needs
Every day poses a potentially high-risk opportunity for your data, systems, and resources to become compromised, and so adhering to the ideal standards of IdM is relevant—every day. Combining IdM best practices with the right tools and solutions can help you transcend your business goals and GlobalSign is here to join your journey; we have the product knowledge and the industry experience to ensure that you get the technologies you need. Contact us today.