Identity Management – Don’t they know who I am?
More than ever, we live in an increasingly connected and consumerist world of IT. Social Media, Internet Banking, Online Shopping, even wearables from Fitbit or Apple have become the accepted norm for many of us. We trust that the information we volunteer in order to use the services we come to rely on is secure and not open to misuse or abuse.
The same is true of customers, partners and employees using your corporate IT systems, whether they are hosted on-premise, or in the rapidly evolving cloud of many clouds.
Broadly this is what is referred to as Identity Management. It is an administrative area dealing with how to identify individuals in a system and control what resources they can access once the security controls in place have checked that they are who they claim to be.
At a very basic level, identity management is about confirming the identity, then defining what that identity is allowed to do on the network, on which devices and under what circumstances. All this has become ever more complex and even more important with Bring Your Own Device (BYOD) and the mainstream shift to cloud computing – access to your resource anytime, anywhere on almost any device.
There are several tools for Identity Management from a number of vendors, but as you might expect it isn’t a case of one solution fits all.
There are solutions tailored for on-premise, hybrid and full cloud environments. Some of these are highly customisable, others are more modular in approach.
Features to be aware of…
Single Sign-On (SSO) – If your users have more than one set of login credentials to remember, odds are that they will simply write them down, or worse still write them on a Post-it note stuck to their monitor bezel. If that’s the case then your security has greater potential to be compromised – how can you be sure that the user logged in as Jim from accounts, isn’t really Sarah from sales, or worse still the guy here for an interview, logging in on his smartphone after seeing the Post-it?
Multi-Factor Authentication (MFA) – Of the three authentication methods: something you know (e.g. password), something you have (e.g. smart card) and something you are (e.g. fingerprint), MFA combines two or more of these to improve security. Think of it like a layered defence, even if one factor is compromised an attacker still has at least one more barrier to get around before successfully breaking into the IT system.
Self-service – It’s possible to delegate important tasks such as performing password resets and group management to lower the support burden and reduce management costs.
Automated device on boarding and provisioning – an important factor for BYOD which could lead to an increase in administrative burden and potential security threats. Being able to use pre-defined procedures to automate devices being able to connect to the IT system securely, without requiring human intervention. These controls help maintain security and reduce the administrative cost at the same time.
Audit logs – if an identity cannot be validated or attempts to access something not authorised, then this suspicious or unusual activity will be logged and can be used to verify the security measures are working properly – something which will become more important with the new GDPR rules from 25th May 2018.
Identity management has long been a key function of most well managed IT Systems for companies large or small.
There are benefits including improved security, reduced administration cost, simplified user experience, and reduced risk of data breach, loss and litigation penalties.
With growing take up of BYOD and mainstream adoption of Cloud Computing, combined with evolving security threats and new legislation, putting the right Identity management process to work in your environment becomes more important. To find out if your Identity management solution is fit for purpose, drop me an email and I'd be more than happy to talk you through the different solutions.