As the world prepared to work remotely for the foreseeable future last spring, there were two very different reactions. Some friends and family shared visions of blissful mornings, working from the comfort of bed still in pajamas. On the other hand, my network of IT acquaintances and colleagues who were responsible for business continuity was stressed about securing the new work model and keeping employees productive.
Quickly, the reality of the situation took hold. Dreams of blissful mornings working from home turned into a frustrating battle of countless logins, forgotten passwords and lengthy help desk calls. For the folks in IT, the challenges mounted by the hour.
Systems that had relied on local network authentication cues and technologies were no longer helpful. Instead, companies needed a solution with dynamic user journeys that could adjust flows based on contexts such as location or device. They also needed a password reset flow that worked on any device from any network.
The pandemic did not offer the luxury of time, so companies had to react to keep employees productive and businesses running. The result was a quick reconfiguration of their systems to support remote workers, which in many cases, were temporary stopgap measures that were hard-coded for remote work only. After all, this shift was going to last for a while.
As it became apparent remote work was the new norm, another set of issues quickly emerged. New cloud applications to foster collaboration were introduced to the enterprise without abandon, while fraudsters were attacking a newly remote workforce. These apps were being deployed faster than they could be integrated into the Single Sign On (SSO) system, causing identity silos, which, in turn, provided more attack surfaces for fraudsters, not to mention more passwords for the employees to remember and manage.
Fast forward more than a year, and as offices start to reopen, security teams are concerned that fixes put in place 12 months ago won’t address the new hybrid work reality. Adding to a pandemic hangover is the unintended fallout caused by the sudden rise of gig workers and “tiger teams” who were quickly ramped up and shut down to get specific tasks accomplished quickly.
Given all the ways we digitally transformed over the past year, having the right Identity and Access Management System in place to foster business agility while securing your company’s assets is essential. Here’s what I recommend companies look for in an IAM system:
- Flexibility and context-driven user experiences that can infuse strong Multi-Factor authentication along the way
- An Integrated Platform that encompasses all aspects of the Identity Fabric - this means everything from Complete Single Sign On, User Self Service, Strong Authentication and Authorizations to Identity Lifecycle Management, Provisioning, and Identity Governance.
- Artificial Intelligence (AI) at its core that can autonomously analyze and react to shifts in behavior.
Why User Experience Matters?
Previously, enterprise security experts prioritized user experience solely for the consumer -- employees had to be willing to “put up” with extra security prompts. However, during the pandemic, this practice became a productivity blocker and an explosion of costly and time-consuming help desk calls. As the world became more digital, people became accustomed to simpler experiences -- they started to expect them from employers as well.
To enable good user experience and high-security standards, companies need an orchestration platform that can dynamically adapt based on contextual inputs such as location, device type, or time of day. By adjusting to contextual cues, user authentication flows can branch off to use different methods of authentication based on risk level. This flexibility, however, cannot come at the expense of exposure.
Since most breaches result from weak or stolen user credentials, strong authentication processes must be adopted by users, and users want choice. An orchestration engine that offers users choice, will increase strong authentication adoption. Additionally, systems that provide a wide range of strong authentication choices from the latest FIDO 2 passwordless and usernameless methods, to push notifications, One Time Passwords, or on-device biometrics, increase the ability to implement strong authentication. Strong authentication combined with contextualized device-specific cues provides the most secure as well as simplest to use authentication.
However, user journeys do not stop after initial authentication, but continue throughout the session as they access applications. To effectively implement a Zero Trust model, companies need an IDM system to continuously monitor context and telemetry signals. This additional information allows the system to take appropriate action at every access event including: granting or denying access, asking for step up authentication, or limiting access through data redaction or data throttling. Companies should also seek solutions with some offline capabilities as well using caveated tokens or macaroons.
Lastly, the password reset user journey, which is inherently complicated oftentimes because it involves two separate systems. Context and choice continue to be critical: Through context, companies can track risk signals like if the device is company-owned or in a public cafe, which can change the level of identity verification needed to reset the password, and similarly, offering choices for how to prove identity creates more opportunity for user success without the helpdesk. A well-integrated solution also will eliminate the need to retype your new password yet another time to re-authenticate to the system, a personal pet peeve.
The Power of an Integrated Platform
Today, the rapid expansion of identities and applications makes it essential to have one fully integrated identity platform. Companies need a solution that can handle the entire Identity Fabric, from Complete Single Sign On, User Self Service, Strong Authentication and Authorizations to Identity Lifecycle Management, Provisioning, and Identity Governance.
Creating an Access Model Users Want
The most visible aspects of any IAM platform are the Access Management capabilities. The ability to provide great user experiences while delivering SSO across the entire range of business applications is key. Each password you eliminate for your users is one less identity silo to manage and one less attack vector for fraudsters. The latest authentication and authorization standards ensure companies can quickly secure any new cloud application without creating a new identity silo. Additionally, seamless integration with legacy systems powers a modern-day security model without recoding the application. A unified security policy across a Hybrid IT infrastructure will greatly reduce risk while also increasing business agility and keep users happy.
Building a Governance System Administrators Will Use
Identity Management, Provisioning, and Governance capabilities provide administrative teams and auditors with the tools to manage and control the entire Identity Lifecycle. For example, these tools quickly provision birth right access to new employees, including gig workers where time is money. They also securely support the rapid addition of new rights to tiger team members to foster and grow business agility. But, that is only half the battle. To maintain your data privacy compliance posture and reduce the risk of internal fraud, organizations also need to remove that access when a tiger team dissolves, an employee changes roles or leaves the organization as efficiently and securely.
Manual, spreadsheet-driven approaches were already cumbersome -- with the rapid adoption of cloud services, they have been pushed to their limit. It can take days to provision a new user, and reconciling user access across an organization can take months. An integrated platform allows organizations to review, audit, and reconcile user access rights and programmatically enforce them without relying on a ticketing system to manually close any gaps. This ensures orphan accounts are quickly eliminated, closing yet another attack vector for a hacker.
Harnessing Artificial Intelligence
AI has become a critical aspect of selection criteria for an Identity Management platform. The only way for IT to keep up with the rapidly shifting identity landscape -- from fraudsters exploiting every shift in user behavior or identity silo created, to governing the rapid explosion of identities consisting of humans, machines, and things -- is to have AI act autonomously based on real-time data.
AI can be used to quickly detect suspicious behavior during a login attempt, greatly reducing the window of opportunity for a hacker to exploit a vulnerability. It also can monitor user sessions, building higher confidence in a user's true identity by watching their access patterns. If a user doesn’t dramatically diverge from their normal usage pattern, AI will have a higher certainty it is the user that originally authenticated and actually remove step up authentication requests for sensitive assets. I expect this will usher in an era of “Zero Trust 2.0” where we can have more confidence in a user’s identity over time instead of less.
On the governance side, AI is essential for managing the explosion of roles, dynamic roles, applications, and the identity of humans, machines, and even things like containers. Organizations need a system that can consume not only data from Identity Management systems but also external data such as application logs or LDAP repositories. By continually monitoring the actual use of access rights, and adjusting roles and rights based on that usage, companies can be sure that users only have access to the assets they need. Further leveraging AI to automate the access approvals, revocations, and reconciliation unburdens your staff from a mountain of work and removes the “rubber stamp” of access requests, greatly increasing security and compliance posture.
AI also offers the ability to share signals across the governance and access capabilities. So, in the case of nefarious activity, the access AI can communicate to the governance AI to revoke an account. Conversely, when a user tries to access an entitlement, which the governance system has classified as risky for them to have, authentication sequences can be stepped up to safeguard this risky entitlement, or external calls could be made to increase auditing of that session.
Over the last year, the way we work has undergone a massive digital transformation. Remote work allowed companies to stay afloat and in some cases flourish; however, it also exposed vulnerabilities around identity and access management, which will only proliferate at a breakneck pace with the continued rise of IoT. In helping my colleagues and organizations navigate these massive shifts, it has all boiled down to one thing: Organizations must find a complete Identity Management Platform that delivers strong user experiences, with AI at its core, that can be consumed in a self-managed, as a service or a hybrid of both. It will set them up for success as their IT infrastructure evolves for many years to come.