Identity and Access Management

Published 12th January 2018
by Christine Ellis

Security and Simplification

Identity and Access Management (IAM) delivers two desirable benefits: simplicity for your users and enhanced security for your organisation.

If you’re exploring IAM, join IT Lab’s security and technology experts Peter Wilson, John Dryden and Michael Bateman for a top-level tour of the definitions and options and the five key considerations for implementation. These include how to approach end-user security awareness and foster a culture of security across your business.

Defining Identity and Access Management

Identity and Access Management simplifies the user experience and gives organisations tighter control over who and what has access to their systems.

At its core is unified sign-on, also termed single sign-on or SSO. This allows the user to login to different cloud-based applications with one set of credentials.

Having a single set of credentials improves the user experience because they don’t have to memorise or manage multiple passwords. SSO reduces the likelihood of their getting in a pickle or exposing your organisation to risk – the all too common password on a post-it note, for example.

Single sign-on is one side of the IAM coin. The other side – authentication, is the crucial security layer. Two factor authentication (2FA) or multi factor authentication (MFA) requires the user to verify their identity before access is authorised.

The Value of Identity and Access Management

Stronger security and frictionless user experiences are the core benefits of Identity and Access Management.

IAM reduces the burden on sysadmins too. Many of us have experienced this scenario: someone leaves suddenly and there’s an invariable scramble to recover and re-set their log-ins. Worse yet, some systems may be forgotten altogether, permitting the leaver’s continued access. Let’s hope they left on good terms…

With IAM, access is easy to manage because there can be one point of disablement. Potentially, setting up new users is easier too, and it enables organisations to link system administration to a single source of truth for employee data, such as an HR system.

Defining Single Sign-on   

SSO has three different meanings:

  • Single sign-on. A single point of entry to all cloud systems. In the context of Identity and Access Management, any reference to SSO generally means single sign-on.
  • Same sign-on. Copies the user name and password to other systems; relevant to on-premise, legacy and Active Directory systems. By synchronising identities, it acts as a link between those systems and the cloud.
  • Seamless sign-on. The user’s credentials are relayed to other services, avoiding the need to log-in to services individually. Typically in the context of Azure Active Directory.

As many readers may know, the technology between identity and access management systems and cloud-based applications is often SAML –  Security Assertion Markup Language. SAML is the standard for exchanging authentication and authorisation data, most commonly between an identity provider and a service provider.

Implementing Identity and Access Management: 5 Key Considerations

IAM vendors are many and varied, and making the right choices to fit your organisation’s needs can be daunting. The main considerations are:

  1. Bear in mind that not all cloud-based systems are the same – their authentication capabilities will differ.
  2. IAM vendor compatibility with your apps. Look at your application estate and understand the authentication methods that each app is capable of. For example, which ones are SAML enabled.

The team at IT Lab can assist you with the above.

John Dryden: “You may have an application that is not SAML capable, which could detract from the value of implementing an IAM solution. It’s a question of determining what you’re going to gain. Having one application that is not SAML enabled doesn’t necessarily mean you shouldn’t invest. If you have 99 that are, you’ll gain advantages across that set of applications.”

Pete Wilson adds: “This is when you might look at look at morphing the different SSO types we listed earlier into a single type environment. This will give you benefit of SAML where applicable, potentially also enabling the use of the same credentials in other systems that aren’t directly capable of SAML exchanges.”

Also consider:

  1. The various multi factor authentication capabilities open to you, and how they match the circumstances of your user-base. For example, if some users don’t have corporate mobile phones, how will you push out the second factor?
  2. Third parties. Pete Wilson: “Take due consideration of how people outside your organisation are going to interact with you. Many companies allow third party contractors to access their systems via a VPN. If you are introducing an identity management solution, especially with multifactor authentication, you must consider those parties as well as your ‘internal’ users.
  3. Ease of implementation and the user experience. The less complex, the easier it will be for your users to consume.

John Dryden: “Our vendor partner Duo Security is an excellent example of a solution that’s straightforward to both implement and consume, so you have fewer overheads in terms of user-training. Avoid something that introduces too much complexity for the end-user. Security should be painless, otherwise people may try to subvert it.”

MFA – The Needs and Psychology of Your User Base

Multifactor or two factor authentication requires two or more methods to verify an individual’s identity. This is typically something that they know and something that they have e.g. answering a security question and scanning a fingerprint.

Peter Wilson: “There’s a variety of methods. The main objective is to select one that’s convenient and secure for your user base, subject to the devices available to them.

“We find our clients have a common method across their environment, because it makes management easier. If necessary, it is possible to mix the authentication methods, e.g. on a device or location basis. You can split it many ways; it’s what is known as conditional authentication.”

Once you have selected the right method, it’s imperative to get your users on board. As Michael Bateman succinctly puts it: “When implementing a solution, be aware there’s a heartbeat at the other end, and never assume your users will do what you ask them to.”

Peter Wilson agrees: “You might encounter some old school thinking. People will think why on earth do I need to do this? I’ve been using a password for years, why must I change it now? There can also be a degree of angst across your user-base if you implement something and they don’t understand why. They may even perceive they are being penalised.”

So how do you bring your users on board? Pete Wilson again: ”There’s a critical education piece. Rather than purely telling people what to do, explain your rationale. It’s cultural too; anything that improves security should be driven at board level, not just IT. Fundamentally, don’t impose things – it’s about bringing your user base with you. Tell them your plans at an early stage.”

Michael Bateman continues: “A combination of external inputs can drastically improve a company’s security posture and culture, which in turn reduces the overall risk faced. By selecting expert providers such as IT Lab, incorporating Perspective Risk, businesses can enjoy assistance and advice at board-level, through to tactical user assessment, awareness and training.”

Identity and Access Management and Adaptive Technology

In this cloud era, SAML and SSO have been brought to the fore. Cloud services are core to an Adaptive Technology Model. Pete Wilson: “The model is about utilising many applications that could be spread across the world, delivered by multiple suppliers, provided via a range of deployments from SaaS, through PaaS, IaaS and co-lo or on-premise infrastructure.

“One of the goals is to bring everything together, into a single authentication domain if you like, so that your users can simply and easily access all your applications without having to remember copious details. It’s all about ease of access, and as we’ve said, this makes things more secure in the back end when we add MFA on top.

“No company uses a single application, so you are always going to have a spread of apps; the goal is to consolidate them under a common identity.”

IAM – The Future

Identity and Access Management will evolve and become fundamental to the everyday user-experience.

John Dryden: “Many people are thinking about IAM in the context of ‘nice to have’. Now it should be the norm, and an expected part of your induction when you join a new company. You should have a single identity and shouldn’t have to log in to systems one at a time. The days of juggling a plethora of usernames and passwords should be over.”

How IT Lab Can Assist 

  • We help our clients to understand their software and application sets, which informs the best methodology for creating an IAM framework to bolster security and smooth the user experience.
  • We support clients from board-level to end user, with cyber security and risk assessments, advisory services and interactive training, either on-line or in person.

For an initial exploratory chat, click here to contact us today.


Latest News & Events

All the latest from IT Lab