#HowTo: Approach Identity Management

Written by

According to McKinsey, around 70% of CISOs faced security budget cuts in 2020. One of the biggest challenges is how to deal with identity management and access control to corporate resources, as employees are forced to work remotely for the foreseeable future.

Rolling out effective identity and access management (IAM) programs today involves safely ensuring that remote employees can maintain access outside their traditional domain defenses. Whether you have an existing strategy or are dealing with identity from scratch, some approaches can directly benefit you.

Remotely Managing Heterogeneous Devices

One of the most significant changes for identity management today is the heterogeneity of IT. Previously, you could apply a standardized approach using a directory to control all access to IT assets and applications. Microsoft’s Active Directory and Windows operating system is a good example, as all machines would run the same family of operating systems on the same physical network.

Today, that approach is no longer effective. We have computers running Windows, Mac and Linux through to phones and tablets running a mix of iOS, Android and iPadOS. You may have cloud-based services and SaaS applications too. Each of these has to be managed from an identity-first perspective.

With the move to remote working and more heterogeneous IT, looking at your directory approach is an excellent first step. For established enterprises, extending your existing directory may be enough to keep up with the new range of assets and devices that you have to support identities on. 

However, for many companies running SaaS applications and a mix of devices, it may be easier to start from scratch with a directory in the cloud.

Understanding Standards

Identity management standards make the job of managing identities easier. The likes of RADIUS, LDAP and Kerberos have existed for years. Extending these standards to support cloud implementation is necessary for today’s mixed environments. To support access based on a standard like RADIUS, you can implement your own server instance or use a cloud-based service that automates the management side for you.

However, these older standards don’t support SaaS applications effectively, so others are needed. Security Assertion Markup Language, or SAML, supports single sign-on (SSO) to web applications and ensures access control where multiple security domains are involved.

SAML solutions securely expose a company’s directory information to external applications and websites. SAML is secure because it passes XML-based certificates that are unique to each application rather than passing user credentials.

Taking the right approach can make users more efficient too. Just-In-Time (JIT) provisioning lets you onboard new users automatically – rather than manually creating individual accounts in an application, a user account is created when that user authenticates for the first time using SSO.

JIT Provisioning uses SAML to pass the assertion from the identity provider to the service provider and then gives the information to create the user account. For services that support it, this automation process gives you more time to focus, while end users benefit from faster access.

SCIM (System for Cross-domain Identity Management) is an API-driven identity management protocol for managing user identities in web applications. SCIM eases the friction points around provisioning and managing user accounts in web applications and maintaining synchronization between their core directory and web apps. SCIM helps automate onboarding and offboarding, which saves valuable time and reduces errors in the authorization levels.

Understanding Devices, Context and Conditional Access

Identity management has become more complex. With users distributed across multiple devices and locations, managing these situations involves looking at context. Understanding device trust is essential in these circumstances.

In a Zero Trust security model, users, devices, networks and other resources are all untrusted by default. Under a Zero Trust model, a secure identity starts the process. Following this, you can check that the device is known to the organization and, thus, deemed safe and secure. This can be achieved using a security certificate during the provisioning process.

Lastly, you can look at the network location for each user. With many employees working from home, it may not be practical to whitelist every IP address – instead, you can block access to requests from other geo-locations.

When setting up policies, conditional access can support smarter working. For roles with limited mobility, restricting access to specific devices and locations ensures security without affecting users. For more mobile roles, we can use location data alongside multi-factor authentication and device specifications.

Identity is the last consistent point for IT security. To support this effectively, we have to implement processes that use standards and embrace technologies like the cloud. By adopting cloud approaches to standards like RADIUS and technologies like directories, we can simplify the implementation process, make it more effective and cut costs.

What’s hot on Infosecurity Magazine?