Kalles/Group Articles
Kalles Group- Securing the future for all-5

Sign-in required: identity & access problems in a distributed world

Got identity problems on your mind? You aren’t alone. Last year, on April 12th, IDS Alliance and National Cybersecurity Alliance founded Identity Management Day.

In celebration of this day,  we want to recognize the significance of Identity & Access Management, commonly IdM, or IAM, by  sharing pain points  that our customers face when it comes to handling digital identities in a distributed world.

Common identity and access problems

The rise in complex identity problems is not surprising considering the changing way we work. As employees moved away from their lovely office space to various locations around the globe – like that comfy couch at home, or the noisy coffee shop with spotty Wi-Fi – security boundaries have also changed. Today we can no longer rely solely on the firewalls, IDP, DLP systems, etc. set up by the organizations’ security staff, rather we are facing challenges of getting the same level of security when using only the public infrastructure that our employees are connected to while outside the protection of company infrastructure.

In these circumstances, controlling identity has become the key to maintaining a strong security posture, no matter your size, industry, or location. It is no surprise that companies are prioritizing IAM projects on their cyber security roadmaps.

 

Problem 1: MFA more, or MFA less?

Multi-Factor Authentication (MFA) – where a user’s identity is verified through a combination of proving who they are (username, password) and something they have (MFA token tied to phone number or app) – has become widely adopted over the last few years as a baseline security control to place in front of one’s web service. While it does serve its purpose, the authentication mechanism, depending on how exactly it is implemented, may cause a lot of inconvenience and friction with the customers from the usability perspective

Fortunately, with modern risk-based MFA engines and device fingerprinting options, an opportunity came to prompt users to enter MFA tokens less often, while maintaining similar levels of security assurance. The fact that such solutions exist and are deployed by certain businesses places identity management teams in an interesting situation, where they need to decide whether to require the users to MFA more (for security) or less (for usability and overall smooth experience).

Usually, organizations will make the choice based on application criticality, For example, a critical application would require a token every time it is accessed, and a non-critical resource may require a token once a week.

While this might sound straightforward on paper, the real challenge security staff deal with is getting the resources classified correctly – with so many digital products now available, organizations struggle to keep track of what they have purchased and deployed, and how sensitive the data is that gets processed via those solutions.

This leads to overlooked critical applications or services and, as a result, certain MFA policies may not be assigned as they should.

Solution: Strong collaboration. Data stewards, application owners, and governance teams must work together to provide the right data to the IAM team so that everything is accounted for and proper configurations are applied.

 

Problem 2: Break glass accounts

With the move away from physical data centers into cloud computing space and the adoption of more and more SaaS products, traditional models of providing emergency access to a critical account are less viable. And with fewer engineers physically present in an office, storing a physical copy of a password in a safe has become an out-dated solution for break-glass protocols.

The question of whether or not to have break glass accounts – a shared account that provides super admin access to an application – has never been more critical. Unfortunately, this problem is often overlooked due in many scenarios including the excitement and churn of getting a new product, not planning out disaster scenarios until the outage has occurred, or a person possessing the knowledge of a recovery password has left the company. This becomes an increasingly complex architecture design item when implementing products like Privileged Access Management (PAM) vaults which, on their own, are intended to store critical credentials, so ensuring continuous access to them is crucial in recovery scenarios.

Solution: Companies should implement a strong process and centralized storage location for keeping critical passwords safe and have working processes developed for break-glass procedures in case of emergency in a remote-first environment.

 

Problem 3: Admin vs regular accounts

Another common challenge organizations face is properly segregating regular user accounts from administrative, highly privileged accounts. This is not a new problem, by any means, but is quickly becoming a hot topic again now that users are accessing resources from varied locations, different devices, and with different sets of security controls in place.

Unless this was a ground rule for an organization from the very beginning, making users switch from the comfort of having a single account for accessing everything to keeping multiple accounts with separate passwords and MFA might be a challenging task.

Solution: Organizations should focus on creating a strong change management campaign to emphasize the security benefits of keeping the accounts separated. Also, the stakeholders should think of where the users can store their credentials and provide a reliable vaulting solution to make this adoption less painful.

 

At Kalles Group, we have been solving problems like those mentioned above for more than a decade. Our team has experience overcoming identity challenges at all levels of an organization: from long-term strategy to hands-on implementation.

If you’d like to discuss different solutions for your Identity Management challenges, contact us today.