De-mystifying Security Series: Identity & Access Management
The combination of on- and off-site computing resources is blurring the borders of the corporate network, making it harder than ever to define and defend the network perimeter. In this new perimeterless environment, user identity is critical to controlling resource access.
“Identity & Access Management” (IAM) describes the various tools and techniques used to secure systems against unauthorised use; essentially, the system authenticates users’ identities and authorises access to your applications and data according to permissions granted. IAM is designed to re-centralise and strengthen access control mechanisms by managing identities across your various systems. Typically IAM relies on a directory to unify the authentication mechanisms detailed below.
It is important to realise that unauthorised use includes misuse of system privileges - especially by admin-level users. I&AM should address both internal and external access permissions and threats.
Modern IAM methods go beyond traditional username and password combinations, adding additional authentication complexity to reduce risk of resource/network breach.
SSO – short for Single Sign-On – defines a method by which login credentials are shared between several disparate systems and platforms. This allows users to log into multiple systems simultaneously using the same username and password combination.
In most deployments, credentials are stored securely in a Lightweight Directory Access Protocol (LDAP) database. The LDAP protocol is then used to pass authentication tokens – rather than user name/passwords pairs to each of the connected applications and services. This is not only easier for end users, but also more secure, reducing the potential surfaces for brute force login security attacks.
Traditional user name/password authentication methods are vulnerable to brute force attacks – or basic compromise through reuse of passwords. Multi-Factor Authentication (MFA) adds a secondary layer of authentication, using a token or similar in addition to the user’s credentials.
This secondary authentication method may be a code sent by SMS or push notification to the user’s smartphone, or a biometric parameter such as fingerprint or facial scan. Because this additional factor is not set by the user, it cannot be easily compromised, dramatically increasing the protection afforded at login.
Building on MFA, Adaptive Authentication adds context to the login process, ensuring users are provided with the correct authentication methods according to their risk profile and habits. In a static deployment, users are assigned a risk level based on their role, the systems they need to access, where they are logging in from, hours of access etc, and then assigned the appropriate MFA method according to those factors.
In dynamic Adaptive Authentication deployment, the system analyses and learns the behaviours of each end user over time. The system uses behavioural correlation to assign the most appropriate MFA method at any given moment according to its own observations. The use of dynamically allocated Adaptive Authentication further strengthens protections against hackers by making it even harder to bypass additional MFA factors.
Navisite partners with leading identity access and management providers to protect client identities and access to critical data. Combined with our Azure Identity expertise, Navisite can assist clients with ranging identity requirements with a comprehensive suite of identity solutions across hybrid cloud environments.