Tag Archive for: Access Management

Top 8 Identity & Access Management Challenges with Your Saas Application

Download your SaaS IAM whitepaper from Okta.  Okta-IAM_SaaS_Challenges_Top_8

7 Tenets of Successful IAM (webinar)

SailPoint CTO and CISO Darran Rolls discusses the seven tenets of a successful IAM program in this informative webinar (59:15)

7 Tenets of Successful IAM (webinar)

 

Okta End-to-End Identity Management: From Access to Governance

(Feb 28, 2019 BBQ&A Presentation)

Why All The Emphasis On Insider Threats? Three Reasons:

Centrify Logo1. Insider security risks are more prevalent and potentially more damaging.

According to a study conducted by the Ponemon Institute, 34% of data breaches in the U.K., come from malicious activity, including criminal insiders, and 37% of breaches come from employee negligence. A previous Ponemon study indicated that a third of malicious attacks come from criminal insiders. Further, a Forrester study revealed that 75% of data breaches were caused by insiders, most often due to employee negligence or failure to follow policies. The most-often cited incidents were lost devices, inadvertent misuse of sensitive information and intentional theft of data by employees. The impact of data breaches and downtime, whether caused by insider malice or negligence, can cripple an organization, exposing it to lost revenue, significant brand damage and increasingly onerous regulatory fines and penalties.

2. User identity “blind spots” are causing audit failures.

Many organizations are failing audits because of blind spots in their identity infrastructures. Blind spots can occur when identities and entitlements are managed in disparate silos or on local servers rather than centrally. For example, one of the biggest identity challenges for companies — and a major cause of failed audits — is a lack of visibility into local administrator accounts on Windows. This is akin to the root account on a Linux/Unix system. Failed audits can be particularly damaging in today’s environment, in which regulations related to data loss and data protection are becoming more rigorous around the world. Companies that conduct business globally have to be in compliance with a wide range of rules and regulations to satisfy audit requirements.

As such, organizations must be able to provide proof that users who have access to certain servers and applications are actually authorised users. They must also be able to deliver an auditable trail of what each user has done within the server. These requirements mean organizational policies need to apply the principle of “least privilege access,” whereby users log in as themselves and have only those privileges needed to do their jobs. If they need to have their privilege elevated for some reason, that is an explicit action.

3. Organizational complexity is posing a growing challenge.

Managing employee identity used to be relatively easy: A user was typically sitting at a desktop with a single machine connected to an enterprise application through a single wire. Ah, but things have changed. Users are now mobile and using a wide range of devices, some of which may be unsanctioned or undocumented personal devices. And mobility is only one aspect of the heightened complexity. IT infrastructures are increasingly diverse and heterogeneous, with multiple silos defined by departments, applications, operating systems or other characteristics that set them apart from one another. The proliferation of virtualization and cloud services adds additional layers of complexity to the IT environment. Without a solution to unify user identities, organizations face the prospect of having too many identities, thus raising too many identity-related risks — including data loss, data breaches, application downtime, failed audits and an inability to identify and rectify internal security problems before they escalate.

Savvy IT and security managers are recognizing that the most cost-efficient and effective way to address these challenges is to incorporate a solution that provides insiders with a unified identity across all platforms. By linking access privileges and activities to specific individuals, the IT organization can establish the control needed to minimize security risks, along with the visibility required to achieve compliance.

© 2013 Centrify Top 3 Reasons to Give Insiders a Unified Identity. 

Centrify is a PathMaker Group partner providing advanced privileged access management, enterprise mobility management, cloud-based access controls worldwide.  The Centrify Identity Service provides a SaaS product that includes SSO, multi-factor authentication, enterprise mobility management and seamless application integration.  The Centrify Privilege Service provides simple cloud-based control of all privileged accounts and provides extremely detailed session monitoring, logging and reporting capabilities.  The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure. Centrify is a Leader in The Forrester Wave, Q3 2016.

 

Compliance or Agility? (Why Not Both?)

The increasing number of disclosed security breaches has recently shifted the public’s attention away from compliance. While no longer a hot topic in the news, compliance is still a major focus for enterprises. However, most CIOs aren’t measured on how compliant the business is – their success is measured in how much value they bring to the organization. But no matter how much revenue they generate or operational savings they find, CIOs are well aware of the catastrophic fallout that can result from compliance missteps. Unfortunately, compliance often includes putting processes and controls around the same initiatives that enable companies to grow and adapt – initiatives that result in the measurable value that position CIOs for success. So how do you choose between compliance or nimbleness? And should you even have to?

Often, a choice between two options requires a compromise. The difficulty lies in either choosing to lose money to compliance violation fines (regardless of the time and resources then spent to become compliant) or improve revenue by building a business intended for growth? Identity governance helps with both.

Controlling and managing identities empowers the company to easily achieve compliance while providing a foundation for business growth and agility.

The Power of Automation

Compliance presents a challenge to enterprise CIOs in two ways. The first is obvious: today’s enterprise ecosystem is complex. You have a growing amount of digital assets in various locations. Users are added every day, with many operating as contractors and other types of users that are external to the organization. Keeping tabs on all these elements can be overwhelming.
Many organizations have cobbled together manual or semi-automated controls in an attempt to gain the visibility required to address regulatory requirements. While it gets the job done, the management and administration costs to run these programs can be exorbitant.

Simply put, compliance is expensive and time-consuming. But you must do it, even if it doesn’t do much to advance the business. In fact, the cost and resources required to manage user access – a key metric in regulatory reviews and audits – can actually divert attention from initiatives that will empower the business.

To make compliance a strategic enabler for the business, you must automate it. Taking it off your plate saves measurable amounts of time and money that can be applied to more business-driven initiatives. The only way to automate compliance is with identity governance. See all the applications, users and systems in your ecosystem. Know, at a glance, who has access to what. Manage user access based on roles or functions without requiring human intervention. Reduce the risk of human error. Get valuable hours back in your day.

The Power of Simplicity

If automated identity governance is good, simplified identity governance is better. Cloud-based identity governance multiplies the benefits of automation by making it easy. There’s no hardware to buy, no software to upgrade and no maintenance of any kind to be done by your IT team. In addition to saving hours per month by automating compliance processes, you can save even more time by eliminating the management of your identity governance solution.

Furthermore, in order for IT to become a tool for business empowerment, CIOs are streamlining their teams. They are hiring business-savvy workers with a broader skill set versus a deep bench of technical knowledge. Moving your identity governance into the cloud and removing the burden of managing the solution means that these teams can put their focus on initiatives that drive the business forward.

SailPoint’s Cloud-based Identity Governance Can Help

Cloud-based identity governance simplifies the process of automating compliance activities so that business can get back to what they do best – running their business. SailPoint’s IdentityNow enables you to achieve complex compliance requirements with a powerful identity governance solution that requires zero maintenance, upkeep or technical management. With IdentityNow, you no longer have to compromise between focusing on compliance or building an agile business.

© 2016 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are trademarks or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries.
All other products or services are trademarks of their respective companies.

Start With The End In Mind: Blog #2 – Speed Delivery of Access to Business Users

Speed Delivery of Access to Business Users

(Source: SailPoint Technologies, Inc. Identity and Access Management Buyer’s Guide)

sailpointweblogoGiven the fast-paced and dynamic environment of business today, IT organizations are challenged to keep up with the demand for identity and access management services, and to do so in a compliant manner. Business users cannot wait days or weeks for access to systems required to perform their job duties. Similarly, organizations cannot tolerate huge gaps in deprovisioning access when a user changes positions or is terminated. Changes to user access must be performed in near-real time, while remaining a controlled and auditable process that is visible to the business. The current state of IAM in most organizations makes it almost impossible to provide consistent and effective service levels to the business due to the following challenges:

  • Heavy use of disparate manual access request and change processes
  • Lack of end-user participation and visibility into identity management processes
  • Ad hoc methods for dealing with external identities and their access rights
  • Growing number of cloud-based applications that are managed outside of IT
  • Help desk staff that is over-burdened with access request and password resets

What organizations need is an easier, more cost-effective way to deliver access to the business. With the right self-service tools, business users can manage their own access, from requesting new accounts or roles to recovering forgotten passwords, using intuitive, business-friendly interfaces. In addition, today’s user provisioning solutions offer easy-to-configure options for automating the entire access lifecycle of a user based on event triggers from authoritative sources — to minimize the need for manual changes. By providing an integrated approach that leverages business-friendly self-service access request tools and automated lifecycle event triggers, identity and access management can streamline the delivery of user access across your organization while continuously enforcing governance rules and compliance policies. It also empowers business users to become an active participant in the identity and access management process, enabling them to manage their own access and passwords while providing them with full visibility into active requests, thereby reducing the workload on help desk and IT operations teams.

Be sure to read blog #3, Increase User Productivity, about implementing technology that reduces the burden of accessing business services.

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here. 

 

Start With The End In Mind: Blog #1 – Identify Priorities and Establish Clear Goals 

Identify Priorities and Establish Clear Goals

(Source: SailPoint Technologies, Inc. Identity and Access Management Buyer’s Guide)

sailpointweblogo

Identity and access management is a strategic imperative for organizations of all sizes. Companies ranging from large, multi-national enterprises to smaller, fast-growing businesses must address requirements to protect and govern access to critical applications, systems and databases whether in the cloud or on-premises. Identity and access management plays a critical role in enabling organizations to inventory, analyze and understand the access privileges granted to their employees — and to be ready to answer the critical question: “Who has access to what?” At the same time, today’s enterprise demands faster and higher levels of service delivery across an increasingly diverse and dynamic environment:

  • There are growing populations of external users, such as partners, agents, and customers, that need access
  • New users come on board daily, requiring immediate access to enterprise resources
  • Users’ responsibilities change, or their relationships with the enterprise end, and access must quickly be modified or revoked
  • Users want fast, convenient access resources anytime, anywhere using smartphones and tablets
  • Some applications and users represent a higher level of risk to the organization than others and require more focus

For IT staff, the challenge becomes how to meet service-level demands while identifying and managing high-risk activities, enforcing policy and security, maintaining stringent controls and addressing compliance requirements. Because there are many different business drivers for identity and access management, you may wonder how and when to put the different components of a solution in place. The answer depends on your business priorities and the immediate challenges facing your organization. To get started, step back and assess your most urgent issues. Do you understand what you want your solution to help you achieve? Here are some common business goals that can help you determine your own unique priorities:

  • Speed delivery of access to business users
  • Increase business user productivity
  • Manage access across on-premises and cloud applications
  • Reduce the cost of managing access change
  • Eliminate audit deficiencies and improve audit performance
  • Lower the cost of compliance
  • Salvage or replace an existing provisioning system

Be sure to read blog #2, Speed Delivery of Access to Business Users, for more detail about the business drivers for identity management — the goals organizations most frequently hope to achieve with their implementation.

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here. 

 

Meeting IAM Gaps and Challenges with New Product Offerings

PathMaker Group has been working in the Identity and Access Management space since 2003.  We take pride in delivering quality IAM solutions with the best vendor products available.  As the vendor landscape changed with mergers and acquisitions, we specialized in the products and vendors that led the market with key capabilities, enterprise scale, reliable customer support and strong partner programs.  As the market evolves to address new business problems, regulatory requirements, and emerging technologies, PathMaker Group has continued to expand our vendor relationships to meet these changes.  For many customers, the requirements for traditional on premise IAM hasn’t changed.  We will continue supporting these needs with products from IBM and Oracle.  To meet many of the new challenges, we have added new vendor solutions we believe lead the IAM space in meeting specific requirements.  Here are some highlights:

IoT/Consumer Scalability

UnboundID offers a next-generation IAM platform that can be used across multiple large-scale identity scenarios such as retail, Internet of Things or public sector.  The UnboundID Data Store delivers unprecedented web scale data storage capabilities to handle billions of identities along with the security, application and device data associated with each profile.  The UnboundID Data Broker is designed to manage real-time policy-based decisions according to profile data. The UnboundID Data Sync uses high throughput and low latency to provide real-time data synchronization across organizations, disparate data systems or even on-premise and cloud components.  Finally, the UnboundID Analytics Engine gives you the information you need to optimize performance, improve services and meet auditing and SLA requirements.

Identity and Data Governance

SailPoint provides industry leading IAM governance capabilities for both on-premise and cloud-based scenarios.  IdentityIQ is Sailpoint’s on-premise governance-based identity and access management solution that delivers a unified approach to compliance, password management and provisioning activities. IdentityNow is a full-featured cloud-based IAM solution that delivers single sign-on, password management, provisioning, and access certification services for cloud, mobile, and on-premises applications.  SecurityIQ is Sailpoint’s newest offering that can provide governance for unstructured data as well as assisting with data discovery and classification, permission management and real-time policy monitoring and notifications.

Cloud/SaaS SSO, Privileged Access and EMM

Finally, Centrify provides advanced privileged access management, enterprise mobility management, cloud-based access control for customers across industries and around the world.  The Centrify Identity Service provides a Software as a Service (SaaS) product that includes single sign-on, multi-factor authentication, enterprise mobility management as well as seamless application integration.  The Centrify Privilege Service provides simple cloud-based control of all of your privileged accounts while providing extremely detailed session monitoring, logging and reporting capabilities.  The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure.

With the addition of these three vendors, PMG can help address key gaps in a customer’s IAM capability.   To better understand the eight levers of IAM Maturity and where you may have gaps, take a look this blog by our CEO, Keith Squires about the IAM MAP.  Please reach out to see how PathMaker Group, using industry-leading products and our tried and true delivery methodology, can help get your company started on the journey to IAM maturity.

With today’s increasing Mobile Enterprise Security Threats, do you have a strategy to mitigate the risk on your Corporate Network?

Corporations are increasingly utilizing mobile enterprise systems to meet their business objectives, allowing mobile devices such as smart phones and tablets to access critical applications on their corporate network.  These devices provide advanced technologies over traditional desktop clients, such as: information sharing, access from anywhere at any time, data sensors, location, etc. But what makes these mobile devices desirable, by their very nature, also poses a new set of security challenges.  Reports by research agencies in recent years show an alarming trend in mobile security threats listing as top concerns: Android malware attacks, and for the IOS platform issues with enterprise provisioning abuse and older OS versions.

These trends highlight the need for corporations to start taking seriously a mobile security strategy at the same level to which cyber criminals are planning future attacks. A mobile security strategy might involve adopting certain Mobile Security Guidelines as published by standards organizations (NIST) and Mobile OWASP project. See the references at the end of this document:

The following guidelines are a subset of Mobile Security Guidelines I pulled from various published sources with most coming from NIST. It is by no means a comprehensive list, however they can be considered as a starting point or additional considerations for an existing mobile security strategy.

1 – Understand the Mobile Enterprise Architecture

You should start with understanding and diagramming the flow from mobile application to business applications running on the back-end application server. This is a great starting point and should be done at the beginning stages, as most of the security guidelines will depend on what is known about the architecture.

  1. Is the mobile application a native application or mobile web application? Is it a cross-platform mobile application?
  2. Does the mobile application use middleware to get to the back-end API, or does it connect directly to a back-end Restful based Web Service?
  3. Does the mobile application connect to an API gateway?

2 – Diagram the network topology of how the mobile devices connect

Is the mobile device connecting to the business application servers over the cellular network or internally through a private WiFi network, or both? Does it go through a proxy or firewall? This type of information will aid in developing security requirements; help with establishing a QA security test bed and monitoring capability.

3 – Develop Mobile Application Security Requirements

At a high level, a security function must protect against unauthorized access and in many cases protect privacy and sensitive data. In most cases, building security into mobile applications is not at the top of the mind-set in the software development process. As such, these requirements should be gathered as soon as possible in the Software Development Life Cycle (SDLC). It has been my personal experience in many cases that you have to work with application software developers in adopting best security practices. So the sooner you can get that dialogue going the better. Security objectives to consider are:  Confidentiality, integrity, and availability. Can the mobile OS platform provide the security services required? How sensitive is the data you are trying to protect. Should the data be encrypted in transit, and in storage? Do you need to consider data-in-motion protection technologies?  Should an Identity and Access Management (IDAM) solution be architected as part of the mobile enterprise system? Should it include a Single Sign On functionality (SSO)? Should there be multi-factor authentication, role based or fine-grained access control? Is Federation required? Should the code be obfuscated to prevent reverse engineering?

4 – Incorporate a Mobile Device Security Policy

What types of mobile devices should be allowed to access the organization’s critical assets. Should you allow personal mobile devices, Bring Your Own Devices (BYOD’s) or consider only organization-issued or certified mobile devices to access certain resources? Should you enforce tiers of access? Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and BYOD’s by enterprise users. These technologies can remotely wipe the data or lock the password from a mobile device that has been lost or stolen. Should Enterprises consider anti malware software and OS upgrades to become certified mobiles on the network? To reduce high risk mobile devices, consider technologies that can detect and ban mobile devices that are jail broken or rooted, as these can pose the greatest risk of being compromised by hackers.

5 – Application Security Testing

According to a study performed by The Ponemon Institute, nearly 40% of 400 companies surveyed were not scanning their applications for security vulnerabilities, leaving the door wide open for cyber-attacks. This highlights the urgency for security teams to put together some sort of security vetting process to identify security vulnerabilities and validate security requirements as part of an ongoing QA security testing function. Scanning application technologies typically conduct two types of scanning methods: Static Application Security Testing (SAST) which analyzes the source code and Dynamic Application Security Testing (DAST), which sends modified HTTP requests to a running web application to exploit the application vulnerabilities. As the QA scanning process develops, it can be automated and injected into the software build process to detect security issues in the early phases of the SDLC.

6 – System Threat Model, Risk Management Process

What will typically come out of the application scanning process will be a list of security vulnerabilities found as either noise, suspect or definitive.  It will then be up to the security engineers knowing the system architecture and network topology working with the application developer to determine whether the vulnerability results in a valid threat and what risk level based on the impact of a possible security breach. Once the risk for each application is determined, it can be managed through an enterprise risk management system where vulnerabilities are tracked, fixed and the risk brought down to a more tolerable level.

7 – Consider implementing a Centralized Mobile Device Management System

Depending on the Mobile Security Policy that is in place, you may want to consider implementing a Centralized Mobile Device Management System especially when Bring Your Own Device (BYOD) mobiles are in the mix that can:

  • For mobile devices, manage certificates, security setting, profiles, etc through a directory service or administration portal.
  • Policy based management system to enforce security settings, restrictions for organization-issued, BYOD mobile devices.
  • Manage credentials for each mobile device through a Directory Service.
  • Self service automation for BYOD and Reducing overall administrative costs.
  • Control which applications are installed on organization-issued applications and check for suspect applications on BYOD mobile devices.
  • A system that can remotely wipe or lock a stolen or loss phone.
  • A system that can detect Jail-broken or rooted mobile devices.

8 – Security Information and Event Management (SIEM)

Monitor mobile device traffic to back-end business applications. Track mobile devices and critical business applications and correlate with events and log information looking for malicious activity based on threat intelligence. On some platforms it may be possible to integrate with a centralized risk management system to specifically be on alert for suspicious mobile events correlated with applications at higher risk.

References:

Your journey toward IAM maturity requires the right MAP