All ContentThe Low hanging fruit of IAM – three fundamental things you should be doing
The Low hanging fruit of IAM – three fundamental things you should be doing
clicks, and not complex
engineering.
? Desktop applications
(Windows, Linux,
Mac, etc.)
? Even the traditional keyfob/USB thingy-type tokens
• Modern helpdesk and
web portals make any
operation faster
? User token management
and requests are selfservice.
• There is no reason to bother
the help desk.
? Modern user-helpdesk
features involve simple
Honestly the biggest change
in the MFA landscape is the
smart phone. Smart phones are
ubiquitous. I mean, don’t most
13-year-olds have a smart phone
these days? But alas, we still
have that pesky enforcement
point, right? Not necessarily.
It’s generally accepted in our
industry that around 99 percent
of the time, the user attempting
to authenticate into a system
is actually that user and not
an impersonator or a hacker.
When we understand that, our
philosophy on authenticating
users can transform from making
it inherently difficult for users to
making it simple, easy, fast and
secure. Subsequently, we could
reallocate our authenticationcomputing power to identifying
threat or anomalies of a hacker
hitting the environment.
What do you need to make this
transformation? You need riskbased authentication. You’ll get
that with Cloud Access Manager
(CAM), One Identity"s web-access
management (WAM) platform.
Identity governance
IAM entails many elements but some fundamental technologies can
facilitate the implementation of your security project and set it up
for long-term success, including the blue areas in the figure below.
The core
of identity
governance
typically
consist of
three main
access types.
Identity governance
Attestation/Recerti?cation
Provisioning
Self-service request and full?llment
Password mgmt
Password mgmt
Role mgmt
Directory mgmt
PAM
End user
access
to application
End user
access to unstructured data
Privileged
user access
Session mgmt
Delegation
Multi-factor authentication
Single sign-on
Federation
Web access management
Access management
Regardless of how a user accesses resources — including privileged accounts — from inside
the network, via the web or federated credentials, you can benefit from adaptive security
functionality of multi-factor authentication to ensure they are who they say they are.
3
Web access management
Which brings us to the second
piece of low-hanging fruit. The
whole point of computers, IT and
all of that stuff is so that people
can do their jobs better. Providing
easy, optimized access to the
applications and data that users
need is critical. After all, if people
can’t get to their stuff in an easy
manner, they will find another
way — one that is probably nonsecure, and introduces risk to
your organization.
That’s where a web access
management solution, such as
One Identity"s CAM, comes in.
Instantly, it bares fruit, if you
will, due to its many security
benefits, a few of which we’ve
highlighted below:
• Single sign-on to any
web application. CAM
provide organizations with
unified access for federated
applications as well as nonfederated applications. It
supports extending SSO
and externalized security
to the following web
security paradigms:
? Legacy authentication
models: Form-fill, Windows
authentication, basic
authentication and header
injection. Nearly anyway
that legacy or custom-built
web applications need to
authenticate is supported.
? Federated authentication
protocols: SAML 2.0,
WS-Federation, WS-Trust
(for O365 thick clients),
OAuth, and OpenID
Connect. It supports most
methods used by modern
federated applications,
4
including Salesforce,
Office 365, Google Apps
and thousands of other
mission-critical apps.
• Secure reverse proxy. CAM
also provides secure remote
access that minimizes the
negative impact on end
users. CAM’s reverse proxy
allows you to connect to
intranet applications from
the internet without a VPN.
We understand that a VPN is
essential technology but also
feel that companies often rely
too heavily on VPN access at
the cost of user convenience
when, in fact, a reverse proxy
technology is more than
adequate for a high number
of access types — and much
more secure for others.
? User don’t always have
VPN and/ or they need
to access internal sites
from places where their
VPN technology is either
difficult to leverage or
simply forbidden by policy.
Image a mobile phone or
the local library, these are
places where a user should
never, or can’t, configure
VPN connections.
? Partners with VPN access?
Some companies find that
the only way they can
provide a partner access to
an internal web resource
is to provide VPN access.
This is a tremendous
risk that can become
unnecessary once a
reverse proxy is available.
• Auditing. Because CAM
can be the identity provider
(IdP) for your federated
applications and all your other
applications, it becomes the
default audit trail for your
entire environment. Without
an IdP like CAM, how do you
know what your users are
accessing? You would need
to go to every application
developer to collect user audit
data; if it was even available.
With CAM, you’ll know every
detail of every user’s access
from connections made to
cloud targets, like Google
Apps, to connections made to
legacy systems with no builtin audit capabilities at all.
Finally, and probably most
importantly, CAM is installed with
a built-in risk engine – called
the Security Analytics Engine.
With the introduction of a risk
engine to your web access
management strategy, you will
have an intelligent, adaptive
authentication capability that
allows your trusted users to
authenticate quickly, while
making the challenge for an
attacker all but insurmountable.
Enabling the risk engine in your
environment means instantly
filtering your traffic for the
following risk indicators (to
mention a few):
• User behavior. I like to
refer to this as the user’s
forensic thumbprint. CAM’s
risk engine creates a unique
profile for each user in your
environment, taking into
account factors like client
IP addresses, geographical
location, typical time of
day, the browser used, and
more. If a user’s connection
exhibits the typical profile
for that user, then the risk is
low. However, if that same
user is connecting from
Please complete the form to gain access to this content
