Category

Access Review as a Service

How to choose an Access Management (AM) solution

By | Access Review, Access Review as a Service, ARaaS, IAM, IDaaS, Uncategorized | No Comments

“By 2019, more than 80% of organizations will use access management software or services, up from 55% today.” – Gartner, 2017

Access Management (AM) is evolving to support digital business requirements. AM increasingly works along with Identity Governance and Administration (IGA) and Data Sources.

 

Functions of Access Management

The Key functions of AM are listed below.
1. User Authentication – Verifying the identity of a user
2. Single Sign-On (SSO) – Allows a user to access multiple applications with one set of login credentials
3. Session Management – The process of managing the lifecycle of a user session
4. Coarse Grained Authorization – Allowing only members of a certain group or role to perform a privileged operation
5. Fine Grained Authorization – Allowing only a certain individual user to perform a specific action on a specific object within the target application
6. Security Token Services (STS) – The service component that builds, signs, and issues security tokens according to the WS-Trust and WS-Federation protocols

Access Management Solutions

There are various kinds of AM solutions available in the market.
1. Federated Authentication and Authorization Services: These solutions provide Standards-based SSO and coarse-grained authorization. However, they do not provide Session management and fine-grained authorization.
2. Traditional Web Access Manager (WAM) Software: These solutions provide SSO, Session management, STS, Authorization enforcement on fine-grained access targets and Legacy on-premises apps support. However, they do not provide Standards-based SSO, password vault-and-forward style web SSO, MFA, IGA functions
3. Externalized Authorization Manager (EAM) Software: The scope of these solutions is limited to providing Authorization enforcement on fine-grained access targets. However, they do not provide Authentication, SSO or STS. Strong entitlement governance and participation of target application developers are critical to success of implementation of these solutions.
4. IDaaS based Access Management: These solutions provide Standards-based SSO, Password Vaulting-and-Forwarding Style Web SSO, MFA, coarse-grained authorization, some IGA functions and reporting for web apps. However, they do not provide Fine-grained authorization enforcement. These solutions find handing of Legacy on-premises apps to be challenging and very few products offer this feature.

Gartner says that “By 2021, IDaaS will be the majority access management delivery model for new purchases, up from less than 20% today.”

Considerations for Decision Making
In this section we will look at some of the key considerations for decision making on the solution to be adopted for Access Management.
There are several Access Management solutions available in the market which are either:
1. Point Solutions that cater to one or more AM functions mentioned above at a great degree of depth.
2. Multi-function Solutions that cater to most of the AM functions mentioned above at a most commonly required level.

Components of Access Management
The key components to be kept in mind for selection of an Access Management solution are given below.
1. User Audience – Who is going to use the solution? This can be a combination of one or more of the below:
a. Employees
b. External users like contractors, partners
c. Consumers
Does the solution cater to all the constituents of the expected user audience?

2. Criticality and longevity of Target Applications in scope – Does the solution cater to all the critical target applications? Often, some of the applications that are currently in use would be replaced by other applications in the immediate, short or long term. Consider if the solution must address the application currently in use, the new application or both?

3. Endpoint Devices – Users are increasingly accessing their applications across several devices. At times these can also be Internet Connected Things. Does the solution cater to all the devices that users are expecting to access the applications over?

4. Application Architecture – Most of the times, different applications used in an organization follow a different architecture. Is the solution compatible with the architecture of the different target applications?

5. External Authentication and Authorization Options – There are solutions that support the externalization of authentication and authorization to commonly used providers such as Social ID providers. Does the solution support such externalization? Is this a requirement?

6. Location of logical and physical components of target applications – Security, Statutory and Regulatory Compliance requires the locations of the solution, data, physical and logical components to be at certain locations. Does the solution cater to these requirements?
Consider the above components based on the requirements of Target Systems and Applications of your organization. Also consider the current Solution in place and gaps in the solution to cater to the requirements.

Delivery Models
Access Management solutions are delivered as On-Premise, Cloud or Hybrid solutions. Consider the following:
• Organization size
• Compliance needs and risk adversity
• Need for support to legacy apps
• Availability of in-house IAM skills

Higher the level of the above considerations, On-Premise Software based solutions are recommended. If they are lower, Cloud based IDaaS solutions are recommended. Hybrid solutions can be considered where existing investments need to be leveraged.
With Cloud based IDaaS solutions, managing the solution is a shared responsibility and considerable responsibility of the solution is borne by the solution provider.

Risks vs Value
IDaaS based AM comes with its own risks. However, it delivers substantial value. Consider the following while deciding.

IDaaS based Access Management – Risks vs. Value

Risks Values
Security Staff augmentation
Availability User convenience
Supplier Rapid time to value
Compliance Operational improvements
Provider agility Security and availability

ILANTUS Compact Identity
Compact Identity is a compressed yet complete and agile yet powerful IAM solution for SMBs. It delivers where it matters – on reliability, performance and innovativeness. Build from the ground up for this size segment in specific, it is also one of the only products in the entire IAM landscape that boasts patented thick-client (SAP etc.) Single Sign-On and Provisioning. You can get a full IAM suite with SSO, Password Management, ULM and AG for a subscription fee that is highly competitive across the entire market. Compact Identity is the first and last word in quality SMB Identity and Access Management.
Reach out to us at inquiry@ilantus.com to know more

Request a Demo

CIOs & CISOs may have to bear the brunt of Privacy Failures

By | Access Review, Access Review as a Service, ARaaS, IAM, IDaaS, Uncategorized | No Comments

 

The Chief Security Officers of Facebook, Twitter and Google all are leaving their companies, in the same week that Facebook announced that a researcher at Cambridge Analytica, who worked for the Trump campaign,  got hold of data on 50 million users.

The job of CISOs and CIOs is becoming more critical and risky. The Security vulnerability due to internal employee and company data being compromised is increasing at an alarming rate. More and more personal information going on internet and to service providers has been used by consumer product and service companies, sometimes with no limits. For example: Companies that are in the business of giving out loans are openly obtaining data from your mobile phones about your credits, salaries and other private data.

All these have helped companies in reducing risks of doing business and increasing sales. Unfortunately all  predictions are that the negative fallout of all this is around the corner. While Europe is bringing in GDPR and other Western Countries are getting to control data privacy, developing economies like India are in a pathetic situation with little action has been initiated so far.

The impact of the incoming fallout unfortunately will be borne by CIOs & CISOs. As it is, they are struggling with being given not enough listening and budgets.

 

 

ILANTUS ARaaS – Standard Access Review Service Package

By | Access Review as a Service | No Comments
Features Details
Who has Access to What Centralized view of users and their access

Intuitive administrative dashboards deliver information with summary of key usage and activity statistics

Access Recertification Up to four access recertification campaign to perform user access certification with maintain revoke capabilities on user’s and access
Closed Loop Remediation Manual revoke/disable of target system accounts if reviewer revokes access during re-certification
Auditing and Reports All user access

Orphan accounts

Access Certification

Alert & Notifications Email Notifications with pre-defined templates