Category

ARaaS

Do your Applications continue to have orphan accounts?

By | ARaaS | No Comments
What is an Orphan Account?

An Orphan Account is an account belonging to a user who has since left the organization while his account and the accesses associated to the account are still active. These accounts have somehow slipped past the de-provisioning paper trail. Such accounts can be exploited to gain unauthorized access to sensitive information and resources. These accounts create holes in your security that can leave them open in perpetuity.

What are the different types of Orphan Accounts?

1. Terminated Users Accounts
2. System/Generic Accounts, which are mapped to any users
3. FTP Accounts, which are used by multiple stakeholders
4. Potentially Malicious Accounts

Another important security issue faced by most organizations is when they allow employees to install certain type of applications with their personal account and without the interference of the IT team. When an employee leaves the organization it sometimes happens that his colleagues continue to use such an application with the same login credentials. Such an account now becomes a shared account which is even harder to track by IT teams.

What is the Traditional or Manual Termination Process?

How can Access Review as a Service (ARaaS) help you?

When an employee leaves an organization unflagging his identity can ideally be completed in 5 seconds. This completely depends on how well their IT groups understand the concept and importance of Provisioning and De-provisioning.

Access Review as a Service a vital part of Provisioning & De-Provisioning. User access review is a process that an organization implements to actively monitor and verify the appropriateness of a user’s access to applications based on an understanding of the minimum necessary access for users to perform or support business functions. The responsibility for granting access and performing periodic verification of proper access rests with the application owner.
What is Xpress ARaaS?

Xpress ARaaS is an Access Governance tool by ILANTUS that helps enterprises address business challenges, such
as continuous compliance, user access review/recertification and consistent access monitoring across heterogeneous applications. This solution can help in automatically manage orphan accounts across applications in the following scenarios:

➤ Immediate notification after an employee has left the organization
➤ Identification of Orphan Accounts
➤ Remediation of Orphan Accounts
➤ Deletion or disable all Orphan Accounts across applications
➤ Better management of shared accounts
➤ Change password of the shared accounts
➤ Notify the other active user or admin with new random generated password

Xpress ARaaS solution can help configure and run review campaigns for all reviewers at defined intervals. The solution will send review campaigns automatically to all configured and dynamically found manager, application owners, internal auditors, etc. to review the orphan accounts.

In the process of reviewing orphan accounts reviewers can take the following actions:

 

Manish kumar Podhar
Global Practice Head – Access Governance( EMEA & APAC)
LinkedIn

How to choose an Access Management (AM) solution

By | Access Review, Access Review as a Service, ARaaS, IAM, IDaaS, Uncategorized | No Comments

“By 2019, more than 80% of organizations will use access management software or services, up from 55% today.” – Gartner, 2017

Access Management (AM) is evolving to support digital business requirements. AM increasingly works along with Identity Governance and Administration (IGA) and Data Sources.

 

Functions of Access Management

The Key functions of AM are listed below.
1. User Authentication – Verifying the identity of a user
2. Single Sign-On (SSO) – Allows a user to access multiple applications with one set of login credentials
3. Session Management – The process of managing the lifecycle of a user session
4. Coarse Grained Authorization – Allowing only members of a certain group or role to perform a privileged operation
5. Fine Grained Authorization – Allowing only a certain individual user to perform a specific action on a specific object within the target application
6. Security Token Services (STS) – The service component that builds, signs, and issues security tokens according to the WS-Trust and WS-Federation protocols

Access Management Solutions

There are various kinds of AM solutions available in the market.
1. Federated Authentication and Authorization Services: These solutions provide Standards-based SSO and coarse-grained authorization. However, they do not provide Session management and fine-grained authorization.
2. Traditional Web Access Manager (WAM) Software: These solutions provide SSO, Session management, STS, Authorization enforcement on fine-grained access targets and Legacy on-premises apps support. However, they do not provide Standards-based SSO, password vault-and-forward style web SSO, MFA, IGA functions
3. Externalized Authorization Manager (EAM) Software: The scope of these solutions is limited to providing Authorization enforcement on fine-grained access targets. However, they do not provide Authentication, SSO or STS. Strong entitlement governance and participation of target application developers are critical to success of implementation of these solutions.
4. IDaaS based Access Management: These solutions provide Standards-based SSO, Password Vaulting-and-Forwarding Style Web SSO, MFA, coarse-grained authorization, some IGA functions and reporting for web apps. However, they do not provide Fine-grained authorization enforcement. These solutions find handing of Legacy on-premises apps to be challenging and very few products offer this feature.

Gartner says that “By 2021, IDaaS will be the majority access management delivery model for new purchases, up from less than 20% today.”

Considerations for Decision Making
In this section we will look at some of the key considerations for decision making on the solution to be adopted for Access Management.
There are several Access Management solutions available in the market which are either:
1. Point Solutions that cater to one or more AM functions mentioned above at a great degree of depth.
2. Multi-function Solutions that cater to most of the AM functions mentioned above at a most commonly required level.

Components of Access Management
The key components to be kept in mind for selection of an Access Management solution are given below.
1. User Audience – Who is going to use the solution? This can be a combination of one or more of the below:
a. Employees
b. External users like contractors, partners
c. Consumers
Does the solution cater to all the constituents of the expected user audience?

2. Criticality and longevity of Target Applications in scope – Does the solution cater to all the critical target applications? Often, some of the applications that are currently in use would be replaced by other applications in the immediate, short or long term. Consider if the solution must address the application currently in use, the new application or both?

3. Endpoint Devices – Users are increasingly accessing their applications across several devices. At times these can also be Internet Connected Things. Does the solution cater to all the devices that users are expecting to access the applications over?

4. Application Architecture – Most of the times, different applications used in an organization follow a different architecture. Is the solution compatible with the architecture of the different target applications?

5. External Authentication and Authorization Options – There are solutions that support the externalization of authentication and authorization to commonly used providers such as Social ID providers. Does the solution support such externalization? Is this a requirement?

6. Location of logical and physical components of target applications – Security, Statutory and Regulatory Compliance requires the locations of the solution, data, physical and logical components to be at certain locations. Does the solution cater to these requirements?
Consider the above components based on the requirements of Target Systems and Applications of your organization. Also consider the current Solution in place and gaps in the solution to cater to the requirements.

Delivery Models
Access Management solutions are delivered as On-Premise, Cloud or Hybrid solutions. Consider the following:
• Organization size
• Compliance needs and risk adversity
• Need for support to legacy apps
• Availability of in-house IAM skills

Higher the level of the above considerations, On-Premise Software based solutions are recommended. If they are lower, Cloud based IDaaS solutions are recommended. Hybrid solutions can be considered where existing investments need to be leveraged.
With Cloud based IDaaS solutions, managing the solution is a shared responsibility and considerable responsibility of the solution is borne by the solution provider.

Risks vs Value
IDaaS based AM comes with its own risks. However, it delivers substantial value. Consider the following while deciding.

IDaaS based Access Management – Risks vs. Value

Risks Values
Security Staff augmentation
Availability User convenience
Supplier Rapid time to value
Compliance Operational improvements
Provider agility Security and availability

ILANTUS IDaaS Next
ILANTUS IDAAS is one of most in-depth and advanced fully-featured access management solution encompassing all the traditional elements of an Identity and Access Management solution with enterprise-grade identity governance capabilities that are always available, always up-to-date and accessible from any device, at any time.
Reach out to us at inquiry@ilantus.com to know more

Request a Demo

CIOs & CISOs may have to bear the brunt of Privacy Failures

By | Access Review, Access Review as a Service, ARaaS, IAM, IDaaS, Uncategorized | No Comments

 

The Chief Security Officers of Facebook, Twitter and Google all are leaving their companies, in the same week that Facebook announced that a researcher at Cambridge Analytica, who worked for the Trump campaign,  got hold of data on 50 million users.

The job of CISOs and CIOs is becoming more critical and risky. The Security vulnerability due to internal employee and company data being compromised is increasing at an alarming rate. More and more personal information going on internet and to service providers has been used by consumer product and service companies, sometimes with no limits. For example: Companies that are in the business of giving out loans are openly obtaining data from your mobile phones about your credits, salaries and other private data.

All these have helped companies in reducing risks of doing business and increasing sales. Unfortunately all  predictions are that the negative fallout of all this is around the corner. While Europe is bringing in GDPR and other Western Countries are getting to control data privacy, developing economies like India are in a pathetic situation with little action has been initiated so far.

The impact of the incoming fallout unfortunately will be borne by CIOs & CISOs. As it is, they are struggling with being given not enough listening and budgets.

 

 

ILANTUS ARaaS Hosting Operations

By | ARaaS | No Comments
Components Availability
Availability The solution will be available for 12, 24 or 36 months as selected.

For the second and any following recertification cycles, 15 day advance notice is all that is required to gain full access to your environment.

Environments One environments: Production
Operations 24×7
Disaster Recovery Mean time to recovery after DR is 6 hours

Maximum  possible data loss after DR event is 1 hour

Service Level Agreements
Components Availability of Environment During Cycle
Hosted ARaaS – AGS Standard Access Review Service 99%

exclusive of maintenance windows

Application On-boarding Services for ARaaS

By | ARaaS | No Comments

ILANTUS Application On-boarding Services consists of expertly trained consultants that can fill the gaps in your knowledge or resource availability. ILANTUS provides three different options of engaging application on-boarding services

End to End Setup
  • Gather the integration requirements
  • Configure the application collectors
  • Perform the account assessment
  • Setup access review campaigns
  • Support testing and production migration
On Call Setup Support
  • Provide Email/Phone guidance as required to the TMX resource to successfully complete the application on-boarding
Hybrid Setup Support
  • Gather the integration requirements
  • Configure the application collectors
  • Provide Email/Phone guidance as required to the TMX resource to successfully complete the application on-boarding