Category

Access Review

Adding ‘I Am’ to IAM

By | Access Review, IAM | No Comments

The presumption of innocence states that the onus on proving guilt belongs to the accuser and not to the defender. However, Cybersecurity in the past decade, and Identity and Access Management (IAM) in specific, has been more aligned, In principle, with feudal law.

Most users are innocent. They have a right to say “I am. I exist. I have a right to freedom and not to be constantly suspected of harming society.” IAM systems today make them feel the opposite – that “I am NOT. Only hackers are. I must somehow exist within this criminal networking universe.”

The architecture behind most IAM systems is based on proving a user’s innocence. It is becoming increasingly challenging to prove that you are an authorized person with policies such as multifactor authentication.

The user experience at the front end is no different. What with captchas and frustrating user-lockouts when incorrect credentials are entered, despite ~98% of human customers being legitimate and low fraud-risk, most people are put behind metaphorical bars for crimes they have never committed.

And trust is a two-way street. How can you expect your customers to trust you (and more importantly, end users to trust and adopt your SSO solution), if you show no trust in them?

Users must be given the benefit of the doubt. They must be allowed freedom within their networks.

Ronald Reagan said it best. He said, “trust but verify”. This is the direction that IAM architecture and user experience needs to flow in. At the moment, the IAM landscape operates not even in verification mode but in an outright ‘prove-your-innocence’ model.

According to industry analyst ‘Gartner’, “by 2022, digital businesses with great customer experience during identity corroboration will earn 20% more revenue than comparable businesses with poor customer experience.” This is because in our evolving, networked world, customer experience is becoming one of the single most important reasons to buy from a business. Competition is perpetually increasing, innovation is cut-throat and always cutting edge, and people actively educate themselves before making purchases.

And user experience is exponentially more important in products such as Single Sign-On and Password Management which are targeted at businesses. A poor user experience results in low adoption of the solution (Read: Combating Low User Adoption).

IAM vendors need to change their mindset and play a different game.

Instead of just jailing customers out of their apps until they prove that they are worthy of access, they must use their own intelligence in the form of computer learning, behavioral analytics, etc.

In 2017, Gartner suggested a good framework for building IAM systems that treat customers fairly:
1. Identify Signs of Legitimate Behavior (Good Customers)
2. Identify Evolving Attack Methods and Patterns (Criminals)
3. Apply Intelligent, Context-Based Adaptive Access to Customer Interactions

A technology that is solving the issue in terms of architecture is Adaptive Authentication. Already available from many vendors, it revolves around using intelligence to differentiate between genuine and fraudulent access attempts (Read: Adaptive Authentication: The Hacker’s Waterloo).

However, it is the basic attitude behind our attempts to protect users that needs to change. Hacking makes headlines, but in terms of statistics is a low-priority use of the internet. We must assess the reality of security risks and design our solutions accordingly. Simply building as many walls as possible is not the answer – we must create intelligent, responsive gateways if we want IAM adoption to grow.

How to choose an Access Management (AM) solution

By | Access Review, Access Review as a Service, ARaaS, IAM, IDaaS, Uncategorized | No Comments

“By 2019, more than 80% of organizations will use access management software or services, up from 55% today.” – Gartner, 2017

Access Management (AM) is evolving to support digital business requirements. AM increasingly works along with Identity Governance and Administration (IGA) and Data Sources.

 

Functions of Access Management

The Key functions of AM are listed below.
1. User Authentication – Verifying the identity of a user
2. Single Sign-On (SSO) – Allows a user to access multiple applications with one set of login credentials
3. Session Management – The process of managing the lifecycle of a user session
4. Coarse Grained Authorization – Allowing only members of a certain group or role to perform a privileged operation
5. Fine Grained Authorization – Allowing only a certain individual user to perform a specific action on a specific object within the target application
6. Security Token Services (STS) – The service component that builds, signs, and issues security tokens according to the WS-Trust and WS-Federation protocols

Access Management Solutions

There are various kinds of AM solutions available in the market.
1. Federated Authentication and Authorization Services: These solutions provide Standards-based SSO and coarse-grained authorization. However, they do not provide Session management and fine-grained authorization.
2. Traditional Web Access Manager (WAM) Software: These solutions provide SSO, Session management, STS, Authorization enforcement on fine-grained access targets and Legacy on-premises apps support. However, they do not provide Standards-based SSO, password vault-and-forward style web SSO, MFA, IGA functions
3. Externalized Authorization Manager (EAM) Software: The scope of these solutions is limited to providing Authorization enforcement on fine-grained access targets. However, they do not provide Authentication, SSO or STS. Strong entitlement governance and participation of target application developers are critical to success of implementation of these solutions.
4. IDaaS based Access Management: These solutions provide Standards-based SSO, Password Vaulting-and-Forwarding Style Web SSO, MFA, coarse-grained authorization, some IGA functions and reporting for web apps. However, they do not provide Fine-grained authorization enforcement. These solutions find handing of Legacy on-premises apps to be challenging and very few products offer this feature.

Gartner says that “By 2021, IDaaS will be the majority access management delivery model for new purchases, up from less than 20% today.”

Considerations for Decision Making
In this section we will look at some of the key considerations for decision making on the solution to be adopted for Access Management.
There are several Access Management solutions available in the market which are either:
1. Point Solutions that cater to one or more AM functions mentioned above at a great degree of depth.
2. Multi-function Solutions that cater to most of the AM functions mentioned above at a most commonly required level.

Components of Access Management
The key components to be kept in mind for selection of an Access Management solution are given below.
1. User Audience – Who is going to use the solution? This can be a combination of one or more of the below:
a. Employees
b. External users like contractors, partners
c. Consumers
Does the solution cater to all the constituents of the expected user audience?

2. Criticality and longevity of Target Applications in scope – Does the solution cater to all the critical target applications? Often, some of the applications that are currently in use would be replaced by other applications in the immediate, short or long term. Consider if the solution must address the application currently in use, the new application or both?

3. Endpoint Devices – Users are increasingly accessing their applications across several devices. At times these can also be Internet Connected Things. Does the solution cater to all the devices that users are expecting to access the applications over?

4. Application Architecture – Most of the times, different applications used in an organization follow a different architecture. Is the solution compatible with the architecture of the different target applications?

5. External Authentication and Authorization Options – There are solutions that support the externalization of authentication and authorization to commonly used providers such as Social ID providers. Does the solution support such externalization? Is this a requirement?

6. Location of logical and physical components of target applications – Security, Statutory and Regulatory Compliance requires the locations of the solution, data, physical and logical components to be at certain locations. Does the solution cater to these requirements?
Consider the above components based on the requirements of Target Systems and Applications of your organization. Also consider the current Solution in place and gaps in the solution to cater to the requirements.

Delivery Models
Access Management solutions are delivered as On-Premise, Cloud or Hybrid solutions. Consider the following:
• Organization size
• Compliance needs and risk adversity
• Need for support to legacy apps
• Availability of in-house IAM skills

Higher the level of the above considerations, On-Premise Software based solutions are recommended. If they are lower, Cloud based IDaaS solutions are recommended. Hybrid solutions can be considered where existing investments need to be leveraged.
With Cloud based IDaaS solutions, managing the solution is a shared responsibility and considerable responsibility of the solution is borne by the solution provider.

Risks vs Value
IDaaS based AM comes with its own risks. However, it delivers substantial value. Consider the following while deciding.

IDaaS based Access Management – Risks vs. Value

Risks Values
Security Staff augmentation
Availability User convenience
Supplier Rapid time to value
Compliance Operational improvements
Provider agility Security and availability

ILANTUS IDaaS Next
ILANTUS IDAAS is one of most in-depth and advanced fully-featured access management solution encompassing all the traditional elements of an Identity and Access Management solution with enterprise-grade identity governance capabilities that are always available, always up-to-date and accessible from any device, at any time.
Reach out to us at inquiry@ilantus.com to know more

Request a Demo

CIOs & CISOs may have to bear the brunt of Privacy Failures

By | Access Review, Access Review as a Service, ARaaS, IAM, IDaaS, Uncategorized | No Comments

 

The Chief Security Officers of Facebook, Twitter and Google all are leaving their companies, in the same week that Facebook announced that a researcher at Cambridge Analytica, who worked for the Trump campaign,  got hold of data on 50 million users.

The job of CISOs and CIOs is becoming more critical and risky. The Security vulnerability due to internal employee and company data being compromised is increasing at an alarming rate. More and more personal information going on internet and to service providers has been used by consumer product and service companies, sometimes with no limits. For example: Companies that are in the business of giving out loans are openly obtaining data from your mobile phones about your credits, salaries and other private data.

All these have helped companies in reducing risks of doing business and increasing sales. Unfortunately all  predictions are that the negative fallout of all this is around the corner. While Europe is bringing in GDPR and other Western Countries are getting to control data privacy, developing economies like India are in a pathetic situation with little action has been initiated so far.

The impact of the incoming fallout unfortunately will be borne by CIOs & CISOs. As it is, they are struggling with being given not enough listening and budgets.

 

 

ILANTUS ARaaS Solution –Modular Approach

By | Access Review | No Comments

Access Review as a Service is a user friendly automated process with quick and easy implementation.  ILANTUS provides training to enable staff with the skills for tool adoption, ease of administration post implementation and with a Managed Services option that manages the environment during review cycles.  Professional and Managed Services differentiates ILANTUS with this cloud based solution driven by RSA technology.

Access Compliance Manager (ACM)

  • Access Review
  • Validation and Access Risks Analysis
  • Access Revocation through Help Desk
  • Review for Exceptional Access for SoD

Value: Engineered to eliminate 70% to 80% of traditional deployment timelines (Quick Time to Value).

ACM provides:

  • Value: Engineered to eliminate 70% to 80% of traditional deployment timelines (Quick Time to Value).
  • Support: Minimizes the complexity of solution management and support.
  • Choice: Eliminates the gaps in your current Identity solution with ILANTUS options.
  • Flexible: Allows you to choose the modules you want, when you want.
  • Secure: Compliant with industry certifications: SSAE 16 SOC1 and ISO 27001

Click here for more information