Organisations are facing a dilemma. On the one hand, everyone is looking to adopt new technologies and enjoy the business advantages they bring. On the other, we all need to keep ourselves safe, matching technology adoption with best practice cybersecurity.
As a result, many organisations find themselves struggling to give users fast and effortless access to an ever-increasing number of applications, while at the same time standing up to more frequent and sophisticated cyber-attacks.
The Case for Convenience
Controlling user access has become more challenging with each passing year. As end-users, we want access to everything, anytime and anywhere regardless of device. We also allow our expectations of personal technology to inform our opinions of corporate applications. The end result for business? Employees require access to an increasing number of digital assets, both corporate and personal. These assets commonly include a mix of cloud applications such as Salesforce, Workday, and Microsoft or Google Apps; social applications such as Facebook, LinkedIn, and Twitter; web applications such as portals and intranets; and traditional on-premises applications.
In the ideal world, corporate security would mandate strong passwords for every application. However, maintaining separate passwords and authenticating access for every application can be both frustrating for end users and reduce productivity. Evidently, users want seamless access to all the resources they need without constantly having to re-authenticate – hence the popularity of Single Sign-on (SSO) solutions.
Controlling for Cyber Risk
While end-user demands for convenience have never been higher, the need to maintain strong access controls have never been more critical – or more complex. Today’s IT security staff must grapple with the explosion of cloud and mobile applications layered on top of traditional on-premises applications. They must also manage and enable a globally distributed workforce and partner ecosystem that blurs the lines between employees, contractors, partners and sometimes even customers.
To make matters worse, it is no longer enough to focus on defending the organisation’s network perimeter. As recent cyber-attacks demonstrate, it is becoming more common for legitimate identities to become the attack vector for cyber criminals. Instead of targeting networks and application infrastructures, hackers are now exploiting identities to gain access to sensitive systems and data. Over the past three years, there have been numerous data breaches caused by cyber thieves obtaining the identity credentials of employees (for example via phishing), using them to access internal networks, and stealing sensitive customer and financial data.
Is Single Sign-On the Answer?
SSO is a method of access control that allows users to login once with a single password and gain access to a variety of applications. This makes it easier for users to remember their username and password combinations and less likely to write them down on sticky notes. SSO also improves productivity by reducing the time users spend entering passwords and the number of incidents where workers are locked out and require help to reset their passwords.
Despite the perks, there are inherent risks when a single username/ password combination unlocks all the resources employees can access. If cyber thieves obtain that employee’s credentials, they will be able to access all the resources that the employee can. Without enforcement of strong password policies, SSO makes a user’s most sensitive accounts available to attackers with very little effort.
Perhaps the biggest security risk of all, however, is the temptation to treat SSO as a one-stop solution for all IAM (identity and access management) needs. SSO solutions are not designed to provide the complete set of controls required to secure the enterprise. SSO is one tool in the IAM toolbox, but one that is focused on convenience more than control.
Identity Governance – Solving the Balance Dilemma
To balance SSO’s convenience with an appropriate level of control, organisations need to complement SSO with robust identity governance solutions. Identity governance provides the right preventive and detective controls required to regulate access, and identify and remediate security issues.
Identity governance can complement SSO in a number of ways:
- User provisioning: to automate defined processes for granting, changing, and removing user access privileges
- Policy management: to help strengthen passwords across all applications and to enforce unwanted “toxic combinations” of access privileges
- Self-service Password Management: to allow end-users to manage their own credentials, anytime, anywhere, without having to involve the help desk
- Access certifications: to ensure that user access is appropriate, conforms to policy, and meets audit and compliance requirements
With identity governance, organisations can confidently deploy SSO knowing that appropriate preventive controls are in place. This fine-grained provisioning is based on defined policies and roles to ensure that users have access to only the minimum resources they need (“least privileged”). For example, when users are terminated, access privileges are automatically revoked from the SSO system and target resources, as well as those applications not tied into the SSO solution. Identity governance also provides password management to help enforce regular password changes, adequate password strength and control password reuse.
Identity governance also provides critical detective controls that allow organisations to review and monitor user access for anomalies needing further investigation. It is not enough to simply define access controls and forget about them. Detective controls allow organisations to identify and rectify problems before they lead to a catastrophic breach.
As the environment becomes more open and the technology mix becomes more complex, it has never been more critical for organisations to implement identity governance with strong controls to mitigate the associated risks of convenience. A balanced IAM strategy will allow organisations to deploy SSO to address business users’ convenience needs, while using an identity governance foundation to strengthen security and meet compliance and risk management goals. By embedding identity governance policy and controls throughout all IAM processes, organisations can overcome the security balance dilemma and achieve both convenience and control.
About the author
Kevin Cunningham is the president and co-founder of SailPoint, which provides identity governance solutions including cloud-based and on-premise identity and access management software.