Once protected by the isolated confines of enterprise IT, business boundaries have been permanently altered by the juggernauts of virtual and cloud computing. Now, both standard users and IT professionals must increasingly contend with a complex authentication environment; multiple identities are using various endpoints, to access numerous applications. So writes Jason Hart, pictured, vice president, Cloud Solutions for Identity & Data Protection, Gemalto.
According to SafeNet’s 2014 Authentication Survey, only 15 per cent of organisations worldwide mandate multi-factor authentication (MFA) for 90-100pc of their employees in order to address the security challenges of today’s complex authentication environment. With more than two million records compromised daily, the remaining 85pc jeopardise the confidentiality and integrity of their networks, applications and intellectual property, leaving them at the mercy of spear-phishers, database hackers, malicious insiders, plain thieves, and propagators of generic malware.
With uniform security policies, central management, visibility, and transparency into their entire authentication environment, CISOs can in fact stroll down the Identity and access management (IAM) easy street. Instead, system administrators are tasked with putting out IT fires and with maintaining and upgrading their organisation’s network infrastructure, systems, and applications. With so much to do in so little time, IAM solutions that offer system administrators reduced management along with the ability to securely adopt new technologies are certain to reach the CIO’s short list. How can the right authentication solution actually reduce the workload for system administrators, and allow them to bring in the latest and greatest apps and platforms? Here are the key functionalities to look out for:
Automated Token Provisioning – Both automated token provisioning and deprovisioning utilise periodic synching with existing user stores (such as AD, Oracle, SQL, Lotus, Novell, IBM, etc) to effect the appropriate actions.
Auto-syncing and auto-provisioning – These automatically issue tokens to new users, and automatically request activation via email notification. Similarly, they also disable a user’s access permissions once they are removed from the user store.
Automated User and Solution Management – These capabilities can provide automated alerts delivered through SMS or email, containing real-time red flag notifications on incidents that require follow up actions, thus allowing management by exception. Examples include notifications to users and administrators in the event of account lockout, modification of a key configuration setting, or the absence of user enrolments by a certain date.
Group-based Policies – These policy capabilities streamline the provisioning and authorisation process. For example, different user groups can be assigned different pre-authentication rules, such as time and date or IP address restrictions, application permissions, and token provisioning configurations.
User Self-Service – To further reduce help desk overhead, solutions that offer basic self-service, such as requesting a new token, requesting a backup authentication method, activating or re-syncing a token, and updating user profile details can reduce the management burden on IT.
Federated Login – With SAML-based identity federation, solutions can extend stored identities to the cloud, enabling users to sign in to software-as-a-service (SaaS) and cloud applications with the same credentials used to log in to the corporate network. In effect, this allows for the ability to sign in only once and concurrently gain access to multiple SaaS applications.
Frictionless Authentication Methods – A study published by the National Institute of Technology and Standards (NIST) found that, on average, NIST employees authenticated 23 times within a 24-hour period, with “over-authentication” requirements resulting in user frustration, otherwise known as ‘password fatigue,’. In turn this led users to cope by using strategies with the potential to jeopardise security down the line, such as writing down passwords. In enterprise authentication scenarios, however, users cannot simply walk away to avoid authentication. Hence, the importance of frictionless authentication methods such as OTP, OOBA, and tokenless authentication (for example, context-based authentication), which enhance user experience and lower barriers of adoption.
As-a-Service delivery – Strong authentication and identity management can be delivered as-a-service from the cloud, further lowering the total cost of operation with cloud computing efficiencies. So how can organisations resolve password aggravation and offer users a frictionless authentication experience? Here are some guiding principles:
•Secure an SSO with strong authentication, elevating the level of assurance that users are in fact who they claim to be. Strong multi-factor authentication can be added to ESSO/federated SSO scenarios without incurring the high cost of user inconvenience.
•Lower barriers for users: Remove the need to physically carry additional daily authentication props, context-based authentication, out-of-band software tokens and phone-as-a-token options, providing convenient enterprise mobility from any endpoint.
•Eliminate reliance on passwords: Two-factor authentication can completely replace static passwords, eliminating password fatigue, password administration and password vulnerabilities.
•Offer self-service: Keep dependence on help desk personnel to a minimum by offering users extensive self-service functionalities, such as resetting their profile details, requesting a new token, or syncing a current one.
A solid authentication scheme can be fluid, and even transparent, to users, and can provide an extensible authentication framework to cloud and enterprise applications — allowing CIOs and system administrators to not only fulfil their duties but also drive up efficiency and innovation.
