Security versus convenient access
November 2016, This Week's Editor's Pick, Access Control & Identity Management, Integrated Solutions, IT infrastructure
Like it or not, in the application economy every enterprise is now in the software business and the challenges ahead are daunting. Budget constraints continue to be a common obstacle, but they are closely followed by security concerns.
Many have found that protecting the identity of users and safeguarding sensitive data is easier said than done when contending with:
• Exploding user and application populations. The sheer volume of applications, their rate of change and the diversity of end-users has never been greater. To enable and protect the business, enterprises must efficiently manage:
a) the identities of this growing user base, and
b) their access to the appropriate applications.
• The externalisation of IT. In order to meet the break-neck pace of application demand while keeping costs low, businesses have turned to cloud-based deployment models. Moreover, enterprises are increasingly embracing partner-delivered services and third-party applications to enhance their line-up of digital experiences. This diversity in application environments has erased the once well-defined boundaries of an enterprise, introducing new security considerations.
• Varied endpoints. Applications are everywhere – as are the employees, partners and customers accessing them. And, these users are leveraging a dizzying array of devices, from PCs and tablets to smartphones and wearables. In order to protect the business and grant the appropriate level of access, organisations must authenticate each user and each endpoint.
As digital interactions increase in volume and complexity, identity and access security have become more critical for both the organisation and end user. However, security measures should not be achieved at the cost of convenience. Today, intuitive and easy-to-use functionality drive applications are ripe for adoption. If a customer has to jump through awkward authentication hurdles, they will not hesitate to look elsewhere. And if an employee, partner or contractor must juggle multiple logins to gain access to essential services, frustration will quickly grow while productivity plummets.
In this culture, where security is paramount and the user experience is king, the ultimate goal is to provide users with easy and secure access to the applications they require – whether on premise or in the cloud – based on their identity, role and associated entitlements.
Appropriate security levels
So, how do we ensure appropriate security levels within this complex and rapidly evolving application economy?
The answer lies in a centralised identity and access management (IAM) service. This approach ensures all identity-related functions, such as authentication – and ultimately authorisation – are consistently managed by the enterprise and executed reliably across diverse channels. And true to the trends, many have begun to leverage IAM as a hosted cloud service for its cost-saving, flexible and elastic qualities. Utilising this elastic model, one can quickly obtain enterprise-grade IAM security capabilities without having to deploy or manage the large IT infrastructure typically associated with on premise solutions.
What are the drivers of cloud IAM adoption? They include:
• The need to expand or contract identity services based on the current needs of the business.
• A requirement to reduce resource and cost pressures. The cloud-based model eliminates the need for the procurement of hardware, facilities, security specialists and other expensive IT infrastructure to support on-premise solutions.
• The demand for accelerating the release of new business services with centralised and consistent IAM across on premise and cloud-based apps.
Application and user numbers are undeniably on the rise. In fact, it is not uncommon for operations to manage a customer user base of one million-plus and/or an employee, partner and contractor population in the hundreds of thousands. IAM as-a-Service enables you to centrally manage identities from account creation and assignment of access rights to fielding access requests and managing related user attributes.
Security and authentication will be more important to enterprises in the next two years as it will have higher visibility from executives because of recent data breaches. Forecasters predict that mobile phones and devices will be the authenticator used by most. When it comes to authentication, enterprises and end-users want two things – simple and secure. Organisations want ‘zero-touch authentication’ to deliver as frictionless and password-free an experience for their customers and employees as possible, and the mobile device will be a key element.
The shift from identity management to identity access security is another predication. Data breaches have hinged on compromising a user identity and new systems will require identity and access security that is intelligent, contextual and verifiable.
The flood of recent international breaches also means that identity management and authentication will have a higher profile in the boardroom. Corporate executives and boards will be held accountable for breaches that damage their corporate brand. This will increase their level of involvement in security strategy and governance. Security will shift from an IT problem to a business executive problem.
Physical and logical convergence
With smartcard-based physical access already in place at many enterprises, the next logical step is to provide the same level of protection for digital assets. Physical access control provides a first line of defence, but a multi-layered approach is required for truly proactive security. As such, there is a compelling argument to implement smartcards for logical access.
In fact, businesses are beginning to realise the benefits in cost savings, ease of use and increased security by ‘marrying’ physical and logical access control onto a single platform. Instead of adding technological and management complexities by having separate access control systems for physical facilities and electronic data, it makes more sense to combine the two solutions and gain higher assurance, cost savings, efficiency and ease of use.
The marriage of physical and logical access into a single solution builds an infrastructure of increased trust. Deploying smart cards to employees, partners and other key individuals is a proactive enterprise approach to higher assurance. Except for information that requires little or no protection, user names and passwords will one day be considered an unacceptable access control mechanism, as they are easily forgotten or compromised.
The multi-factor authentication and PKI architecture offered by smartcards vastly decreases the likelihood of unauthorised users gaining access to sensitive data. Today’s credential management solutions help manage heterogeneous environments that combine all of the normal access management models such as passwords, software certificates and hard physical tokens, allowing migration by department or groups from one model to the next and so on.
Ease of use is another compelling argument for marrying physical and logical access onto a single platform. Users will not have to carry multiple credentials, nor will they need to remember multiple passwords or PINs to access applications and data. Instead, they will have one smart card that can be used for everything.
Collaborate and integrate
Many companies consider integrating physical and logical security to be a technical effort. Logical and physical security organisational structures are typically described as two silos, each reporting up through different management structures. While this is not ideal, the organisational chasm can be bridged by having physical security participate by collaborating with the integration of the two systems.
With the use of embedded identity analytics, administrators will be able to drill down into potential ‘road blocks’ existing in logical and physical identity lifecycle management processes, allowing the identification of areas of process inefficiency and to ensure meeting business service level agreements.
One thing is certain, everything revolves around positive identification that can be audited and potentially used in court for prosecution. Perhaps most importantly, though, such an integrated system brings down the barriers that have stalled the convergence of physical and logical access control systems for so long.
IT departments and facilities management staff can finally work together to become more efficient and eliminate security gaps in the process, once an IT and user-friendly building security system has been acquired.
Privileged access management portfolio
CA Technologies has released enhancements to its comprehensive privileged access management portfolio, giving customers control over the privileged accounts that support a hybrid IT environment and are a frequent vector for cyber attacks.
By updating and integrating CA Privileged Access Manager (formerly Xceedium Xsuite) and CA Privileged Access Manager Server Control, CA helps reduce the risk of data breaches by extending the depth and breadth of control over privileged users, from the gateway to the server and from the database to the cloud – all from a single management console.
Says Michael Horn, CA Southern Africa, security business unit manager, “In any cyberattack, bad actors have a single goal in mind – elevate privilege in order to get access to the most sensitive systems and data. And if the attacker is a disgruntled insider, he or she may already have that access. CA’s privileged access management solutions help protect an organisation’s most sensitive systems and information.”
CA Privileged Access Manager allows customers to implement controls at the network gateway, managing privileged user access to systems and applications based on the identity of the individual user. CA Privileged Access Manager Server Control resides on the server and manages user activity based on resource protection, with policies that control file access and actions taken on the server. This prevents bad actors from covering their tracks and helps accelerate breach discovery.
With the enhancements, customers can consistently manage and control privileged users at both the network and the server. When an IT administrator accesses a system, CA Privileged Access Manager automatically triggers CA’s Server Control product and to apply policies on the server resources based on the individual’s identity vs. simply the administrator account. This provides a more detailed and granular level of access control.
In addition, CA Privileged Access Manager has expanded integration with service management tools to further streamline privileged user provisioning and de-provisioning for those individuals who only require short-term privileged user access, such as temporary employees or contractors.
Michael Horn, CA Southern Africa's security business unit leader.
Biography: Michael Horn
Michael Horn is the CA Southern Africa security business unit manager. Over the past three decades Michael has accumulated extensive specialist skills based on real-world exposure to: architecting; implementing – including the operational management – of a variety of information security technologies. Michael is a Certified Information Systems Security Professional (CISSP) and the author of several publications. Michael has experience in a wide range of identity and access management technologies including advanced authentication, identity consolidation, unified access management and privileged access management.
For more information contact Michael Horn, CA Southern Africa, +27 (0)11 417 8765, firstname.lastname@example.org.