UPDATE: We've got a webinar scheduled for this Thursday (November 21st) at 12 p.m. with Idaptive. Use this link to register: http://content.security7.net/idaptive-webinar
The modern enterprise's IT infrastructure is borderless and it's not easy to manage. You've got more accounts, apps and devices than you can shake a stick at. Each one seems to only expand the surface area that's vulnerable to attack.
Thinking about all the vulnerabilities probably keeps you up at night. Understandable. You know you can't trust everyone who has access to your network or apps to behave responsibly (hence the above picture of the clown using the computer).
Why is Identity and Access Management Important?
According to Gartner proper Identity and Access Management “addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements.”1
Applying Identity and Access Management best practices is incredibly important for any business but in today’s Cloud dominated landscape it isn’t always easy. Identity and Access Management used to be fairly straightforward. Users were local. End-points were more regulated. But things have changed, we live in a mobile world. BYOD/BYOMD is common. Identity and Access Management has had to adapt.
For years, we’ve relied on a well-defined boundary to protect our assets. We knew where the perimeters of our networks and endpoints were, and kept our important assets on the safe side. But things are changing — the world as we know it is an increasingly complex digital canvas of identities, that live in and out of the enterprise changing the perimeter of the network — to no perimeter at all.
So what can you do?
That's an excellent question. What do we do? Well, we use Idaptive.
Idaptive redefines security from a legacy static perimeter-based approach to protecting millions of scattered connections in a boundary-less hybrid enterprise.
Idaptive is the only industry recognized leader in both Privileged Identity Management and Identity-as-a-Service. Idaptive provide a single platform to secure every user’s access to apps and infrastructure in today’s boundary-less, hybrid enterprise through the power of identity services.
We use Idaptive in two key areas: Identity as a Service and Privilege Management.
How Idaptive Identity Services is Different from the Competition:
A good IDaaS solution provides three key functions:
- Identity governance and administration (“IGA”) — this includes the ability to provision identities held by the service to target applications
- Access — this includes user authentication, single sign-on (SSO), and authorization enforcement
- Intelligence — this includes logging events and providing reporting that can answer questions such as “who accessed what, and when?
Idaptive’s Identity Service platform is one of the most comprehensive and feature rich solutions we’ve ever seen and here’s why:
- Single Sign-on (SSO) for Cloud and Mobile apps - One-click access to your cloud, mobile and on-premises apps. No more forgotten passwords, no more user confusion. Supports internal users (employees, contractors) and external users (partners, customers).
- Automated Account Management - From the day they start to the day they depart, manage employees’ access to all their apps from any source: Active Directory, LDAP, Cloud Directory or external identity. Create accounts, automate app requests with workflows and revoke access from all devices when necessary — from a central control point.
- App Data Protection - Leverage your users’ mobile devices as a second factor for app authentication. SMS, email, voice or secure OTP — implement MFA without the hassle. Idaptive Identity Service provides context-aware, step-up authentication based on per-app policy. Without the hassle for your users
- Integrated Mobile Device and App Management - Identity-based policy is the lifeblood of BYOD. Secure and manage the devices used to access cloud and mobile apps through fully-integrated mobile device and app management capabilities. Push apps, policy, certificates and more — and pull it all back when devices are lost or stolen.
- Identity Based Security and Management for Macs - Join Macs to Active Directory, and provide SSO to your Mac users. Leverage Active Directory Group Policy to manage Macs just like Windows machines.
How Idaptive Identity Services Manages Users:
Idaptive breaks down users into two categories internal users (employees and contractors) and external users (customers and business partners) and allows for feature-rich customizations.
Employees and Contractors:
- Control access to cloud and mobile apps and manage the devices used to access them
- Improve security by eliminating easily cracked, recycled or improperly stored passwords
- Keep sensitive directory info where you want it: on-site in LDAP or Active Directory, in cloud or any combination
- Create comprehensive user access policies that span across apps and devices
- Enforce deeper security with per-app policies and context-aware multi-factor authentication
- Manage and control application provisioning and entitlements
- Secure your BYOD initiatives through integrated, cloud-based mobile device management (MDM)
Customers and Business Partners:
- Enable social login from Facebook, Google, LinkedIn and Microsoft
- Provide SSO across disparate tools, sites, apps or services
- Give users a consistent login experience across your brand
- Speed on boarding for new customer accounts
- Free developers from the hassle of identity/user management
- Use secure standards like SAML and OpenID Connect
- Eliminate standalone silos of identity o reduce IT overhead
- Give partners secure access to just the resources you allow
- Let your partners manage their own employee identities
- Implement access to policies that meet your needs, without having to manage partner policy
- Enable simple multi-factor authentication for partners as needed, without investing in additional infrastructure
- Avoid complex implementations and risky firewall changes
A flexible, highly granular privilege management solution. Users can get work done while reducing your risks. Make implementing least-privilege approaches easy.
Why Privilege Management is Important:
The least-privilege principle states that every module (in this case a user or application) must be able to access ONLY the information and resources that are necessary for its legitimate purpose.
But what exactly does that mean? Let’s look at it from a different perspective:
You’ve just bought a brand new house in a new, well-kept but unfamiliar neighborhood. You go to the local hardware store and have a bag of keys cut that will unlock your front door.
As you walk home you decide to give a brand new, freshly cut key to everyone you meet. You think “the neighborhood looks safe. These people look fine. I trust them with access ” Perfectly OK right?
Absolutely not. So, let me ask you a question; if you wouldn’t give people free access to your home why would you give a user or application free access to your network or computer systems?
Not privileging people or applications correctly can open up your network ecosystem to a host of potentially harmful actions. It’s a prime example of Murphy’s Law; “what can go wrong, will go wrong.” Idaptive will help you avoid potential disaster.
Over time, using the least-privilege principle and Idaptive’s Privilege Management can provide you with three very basic, but important things:
- Better system stability
- Better system security
- Ease of deployment regarding users, applications and other modules
How Idaptive Privilege Suite is Different:
It’s surprisingly easy for a company to fall into a privileging pitfall. Let’s look at some bad practices:
Default Administrative Account/Shared Credentials - Rather than setting up your network administrators with their own, unique administrator account they use one, shared account to access all of the administrative features.
Using one shared account not only makes a network or computer system insecure, but it also strips out any user accountability. If everyone is using the same credentials how would you be able to determine who might have changed a setting or caused a problem on your system?
You can’t. At least not easily.
Individual Administrative Accounts without User-Level Accounts - Setting your admins up with their own individual administrative accounts is a step forward from sharing credentials, but you’ll still potentially run into issues if those administrators don’t use complementary user level account as well.
A user level account is defined as a “computer account that has user-level privileges (and) can be used to access email, browse the internet and run programs that the account is authorized to access.”
In comparison, an administrative account is a “computer account with administrator-level privileges can do all of the same things as a user level account, and also can be used to install software on the system and configure computer and network settings.”
Even though you’ve got users who are administrators, it doesn’t mean they should always be logged into the system with an administrative account. Using an administrative account all the time opens you up to a host of potential threats like malware, viruses and hostile take overs of your system if that administrator isn’t careful.
Using the principle of least privileges as describe above and Idaptive Privilege Management, you’ll be able to:
- Easily increase security and accountability by having fewer shared accounts.
- Easily assign or revoke the right privileges for users across Windows, Linux and UNIX systems
- Realize operational efficiencies through integrated authorization, authentication and audit that leverages existing investments in Active Directory
- Prove compliance with regulations and industry mandates to auditors with a single view into the control and security of user privileges
- Ensure all privileged activity is tied to an individual. Users log in as themselves, seamlessly elevate privilege and all activity is audited.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.