#HowTo: Identity management approach – Infosecurity Magazine
According to McKinsey, around 70% of CISOs faced security budget cuts in 2020. One of the biggest challenges is how to manage identity management and access control to corporate resources. , because employees are forced to work remotely for the foreseeable future.
Deploying effective identity and access management (IAM) programs today involves securely ensuring that remote employees can maintain access outside of their traditional domain defenses. Whether you have an existing strategy or are processing identity from scratch, there are some approaches that can directly benefit you.
Remote management of heterogeneous devices
One of the most significant changes in identity management today is the heterogeneity of IT. Previously, you could apply a standardized approach by using a directory to control all access to IT assets and applications. Microsoft’s Active Directory and Windows operating system is a good example, as all machines would run the same family of operating systems on the same physical network.
Today, this approach is no longer effective. We have computers running Windows, Mac, and Linux to phones and tablets running a mix of iOS, Android, and iPadOS. You can also have cloud-based services and SaaS applications. Each of them must be managed from an identity perspective first.
With the shift to remote work and more heterogeneous IT, reviewing your directory approach is a great first step. For established businesses, expanding your existing directory may be enough to keep up with the new range of assets and devices you need to support identities on.
However, for many businesses running SaaS apps and a mix of devices, it may be easier to start from scratch with a directory in the cloud.
Understanding the standards
Identity management standards make the job of managing identities easier. The likes of RADIUS, LDAP, and Kerberos have been around for years. Extending these standards to support cloud implementation is necessary for today’s mixed environments. To support standard-based access such as RADIUS, you can implement your own server instance or use a cloud-based service that automates management for you.
However, these older standards do not effectively support SaaS applications, so more are needed. Security Assertion Markup Language, or SAML, supports single sign-on (SSO) to web applications and provides access control when multiple security domains are involved.
SAML solutions securely expose a company’s directory information to external applications and websites. SAML is secure because it transmits XML certificates that are unique to each application rather than passing user credentials.
Taking the right approach can also make users more efficient. Just-in-time (JIT) provisioning allows you to automatically onboard new users. Rather than manually creating individual accounts in an app, a user account is created when that user first authenticates using SSO.
JIT Provisioning uses SAML to pass the assertion from the identity provider to the service provider, and then provides the information to create the user account. For services that support it, this automation process gives you more time to focus, while end users enjoy faster access.
SCIM (System for Cross-domain Identity Management) is an API-driven identity management protocol for managing user identities in web applications. SCIM alleviates the friction points around provisioning and managing user accounts in web applications and keeping their home directory in sync with web applications. SCIM helps automate onboarding and offboarding, saving valuable time and reducing errors in permission levels.
Understand devices, context, and conditional access
Identity management has become more complex. With users spread across multiple devices and locations, handling these situations involves looking at the context. Understanding device trust is essential in these circumstances.
In a zero trust security model, not all users, devices, networks, and other resources are trusted by default. In a Zero Trust model, a secure identity starts the process. Following this, you can verify that the device is known to the organization and therefore considered safe and secure. This can be done using a security certificate during the provisioning process.
Finally, you can view each user’s network location. With many employees working from home, it may not be practical to whitelist every IP address. Instead, you can block access to requests from other geographic locations.
When configuring policies, conditional access can support smarter work. For roles with limited mobility, restricting access to specific devices and locations ensures security without affecting users. For more mobile roles, we can use location data alongside multi-factor authentication and device specs.
Identity is the last consistent point for IT security. To support this effectively, we need to implement processes that use standards and embrace technologies like the cloud. By adopting cloud-based approaches for standards like RADIUS and technologies like directories, we can simplify the implementation process, make it more efficient, and reduce costs.