Top 8 Identity & Access Management Challenges with Your Saas Application
Download your SaaS IAM whitepaper from Okta. Okta-IAM_SaaS_Challenges_Top_8
7 TRENDS THAT WILL SHAPE THE FUTURE OF IDENTITY
The identity and access management (IAM) space is constantly evolving, and the pace of transformation is only accelerating as new security threats arise, expectations increase for streamlined and transparent experiences, and IT environments grow more complex to support business initiatives like cloud adoption.
Over the course of this evolution, identity has become a key business driver across the organization. Businesses are using IAM to help them accomplish a number of goals, including:
- Managing identities, profiles and attributes
- Authenticating people, systems and things
- Enabling access to resources
- Managing runtime access to applications and application programming interfaces (APIs)
With the rapid pace of change and increasing scope of identity, it’s hard to stay on the cutting edge of trends in the IAM space. Ping Identity recently invited the Chief Information Security Officers (CISOs) from leading enterprises to share the seven trends they believe will shape the future of identity.
- NEW METHODS OF IDENTITY PROOFING For centuries, identity proofing has required people to show up at a physical location and have their identity documents inspected. This method isn’t going to scale in the age of the internet. New methods of remote proofing and social proofing are currently being developed that will change the way people trust each other online.
- PASSWORDLESS AUTHENTICATION When individuals interact online, they frequently do things that attackers would never do, like pay bills, order small items to be shipped to their homes or send a note to say hi to mom. Authentication will eventually be smart enough to recognize these as contexts that are low risk and don’t require a password. There are also many contextual pieces of information that could indicate people’s true identities, like the devices they use and how they interact. Authentication of the future—for both individuals and enterprises—will be adaptive and contextual so a password is required only when necessary.
- BEHAVIORAL ANALYTICS AND MACHINE LEARNING It used to be that you could grab a latte in the morning and hop into a cab with no one knowing who you were. Starbucks and Uber have changed that forever. People increasingly interact with the world in an authenticated context, which means that the companies with which they interact have a lot of information about their behavior. Machine learning gives businesses an even bigger opportunity to apply the data in different ways. They will be able to remove frustrations and friction from their customers’ daily lives by remembering who they are, what they like, when they’re likely to access services and exactly how much whipped cream their kids like on their hot chocolate.
- CONSENT AND PRIVACY Customers are getting more savvy about understanding how and when their data is stored—especially as more of them have been victims of data breaches. New regulations require that companies gather consent to store personally identifiable information and then only use that information for agreed-upon purposes. The days of 100-page terms of service are gone. Expect to see short, clear requests for information as it’s needed during a transaction.
- BLOCKCHAIN AND OTHER DISTRIBUTED LEDGER TECHNOLOGIES How new distributed ledgers will shape identity management is a question still to be answered, but many companies are eagerly playing with the technology and trying new things. There’s a lot of excitement about the new tools that this technology could enable, particularly in spaces where global coordination is needed. However, since everything that’s put on a blockchain is immutable, it’s important that they remember the privacy and security implications of these tools as they build new things.
- INTERNET OF THINGS (IoT) As identity becomes the new perimeter for both security and privacy, it’s increasingly critical that the industry gets device identity right. The number of devices individuals carry and install in their homes is growing dramatically, and the enterprise use cases are exploding—from production line monitors to water sensors to medical devices. We’re going to need new norms and policies to differentiate between trusted users, threats and different members of a household.
- BIOMETRICS Biometrics are emerging as a quick and easy way for users to authenticate, but they’re not perfect. As usage grows, the technology to fool biometric sensors will get more advanced and easier to produce. Right now, unlocking local devices using a locally stored biometric has a low likelihood of compromise, but using biometrics at scale over the web carries more serious security implications that the industry will have to wrestle with over the next few years.
By Ping Identity’s CISO Advisory Council, comprised of CISOs from 12 enterprise organizations, including: Frank Aiello, CISO for American Red Cross; Diane Ball, CISO for BCBS Tennessee; Steve Martino, CISO for Cisco; Stanton Meyer, CSO for CoBank; Ben Mayrides, CISO for Cvent; Sam Masiello, CISO for Gates Corporation; Larry Whiteside, CISO for Greenway Health; Michael Strong, CISO for GCI; Chris Gullett, VP of Information Security for Allegiant Air; and Adrian Mayers, CISO for Vertafore.
Why All The Emphasis On Insider Threats? Three Reasons:
1. Insider security risks are more prevalent and potentially more damaging.
1. Insider security risks are more prevalent and potentially more damaging.According to a study conducted by the Ponemon Institute, 34% of data breaches in the U.K., come from malicious activity, including criminal insiders, and 37% of breaches come from employee negligence. A previous Ponemon study indicated that a third of malicious attacks come from criminal insiders. Further, a Forrester study revealed that 75% of data breaches were caused by insiders, most often due to employee negligence or failure to follow policies. The most-often cited incidents were lost devices, inadvertent misuse of sensitive information and intentional theft of data by employees. The impact of data breaches and downtime, whether caused by insider malice or negligence, can cripple an organization, exposing it to lost revenue, significant brand damage and increasingly onerous regulatory fines and penalties.
2. User identity “blind spots” are causing audit failures.
Many organizations are failing audits because of blind spots in their identity infrastructures. Blind spots can occur when identities and entitlements are managed in disparate silos or on local servers rather than centrally. For example, one of the biggest identity challenges for companies — and a major cause of failed audits — is a lack of visibility into local administrator accounts on Windows. This is akin to the root account on a Linux/Unix system. Failed audits can be particularly damaging in today’s environment, in which regulations related to data loss and data protection are becoming more rigorous around the world. Companies that conduct business globally have to be in compliance with a wide range of rules and regulations to satisfy audit requirements.
As such, organizations must be able to provide proof that users who have access to certain servers and applications are actually authorised users. They must also be able to deliver an auditable trail of what each user has done within the server. These requirements mean organizational policies need to apply the principle of “least privilege access,” whereby users log in as themselves and have only those privileges needed to do their jobs. If they need to have their privilege elevated for some reason, that is an explicit action.
3. Organizational complexity is posing a growing challenge.
Managing employee identity used to be relatively easy: A user was typically sitting at a desktop with a single machine connected to an enterprise application through a single wire. Ah, but things have changed. Users are now mobile and using a wide range of devices, some of which may be unsanctioned or undocumented personal devices. And mobility is only one aspect of the heightened complexity. IT infrastructures are increasingly diverse and heterogeneous, with multiple silos defined by departments, applications, operating systems or other characteristics that set them apart from one another. The proliferation of virtualization and cloud services adds additional layers of complexity to the IT environment. Without a solution to unify user identities, organizations face the prospect of having too many identities, thus raising too many identity-related risks — including data loss, data breaches, application downtime, failed audits and an inability to identify and rectify internal security problems before they escalate.
Savvy IT and security managers are recognizing that the most cost-efficient and effective way to address these challenges is to incorporate a solution that provides insiders with a unified identity across all platforms. By linking access privileges and activities to specific individuals, the IT organization can establish the control needed to minimize security risks, along with the visibility required to achieve compliance.
© 2013 Centrify Top 3 Reasons to Give Insiders a Unified Identity.
Centrify is a PathMaker Group partner providing advanced privileged access management, enterprise mobility management, cloud-based access controls worldwide. The Centrify Identity Service provides a SaaS product that includes SSO, multi-factor authentication, enterprise mobility management and seamless application integration. The Centrify Privilege Service provides simple cloud-based control of all privileged accounts and provides extremely detailed session monitoring, logging and reporting capabilities. The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure. Centrify is a Leader in The Forrester Wave, Q3 2016.
VIDEO – THE 7 TENETS OF SUCCESSFUL IAM (SAILPOINT)
[embedyt] https://www.youtube.com/watch?v=XDgE0IGRmgI[/embedyt]
How Do I Know When To Upgrade My IAM Environment?
Pathmaker Group Executive Team
Deciding if you should upgrade your identity and access management environment can be a daunting task. Although there are many variables and decision-making points involved, the “if” decision usually falls into one of two camps:
- The software is nearing its’ support end-of-life.
- There is a need to utilize new services available in the latest release.
Let’s take a look at the first camp. The end-of-life of a particular software product is tied directly to its vendor’s support. This is a very important consideration due to the potential worst case scenario. Imagine software currently running in production where its support has been deprecated by the vendor. Then when a major issue occurs, technical staff reaches out to the vendor with an explanation of the problem, only to hear “sorry, we can’t help you”. Unless in-house staff can diagnose and find a solution to the problem, there could be a very real long-lasting disruption of service. The old adage “if it ain’t broke, don’t fix it” is not always the best mantra to follow with your identity and access management software. Although it is not critical to constantly upgrade to the latest and greatest release, it is recommended to be several steps ahead of a product’s end-of-life. This is due to not only the potential issue above, but also because vendors include critical items, such as security fixes and performance enhancements, as part of their newest releases.
How about the second camp? Let’s take a company that is utilizing a single sign-on software product or version that is a few years old. Granted, the solution is working well, however, there is now a need to integrate mobile and social technologies for their customer base. Seeing as their current software version does not support this, but the newest version does, the obvious choice would be to upgrade. Or, as a second illustration, a company may have created a custom connector, but that connector now ships out-of-the-box with the newest version. By upgrading, they would no longer have the overhead of updating and maintaining their code.
Get Information on the PathMaker Group IAM Maturity Advisory here.
Start With The End In MInd: Blog #4 – Manage Access Across On-premises and Cloud Applications
(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)
“We’ve lost visibility and control over applications in the cloud. We’re not even sure about what’s out there.”
As enterprises accelerate their adoption of the cloud, they must cope with the challenges of managing a hybrid IT environment where some applications reside on-premises and some reside in the cloud. Adding to the complexity of this environment, business units are gaining more autonomy to buy and deploy applications — which can often house sensitive, corporate data — without consulting or involving the IT organization.
Signs that your organization is struggling to manage new cloud applications include:
- IT is not fully aware of the mission-critical cloud applications in production across various departments and business units
- Business units are performing their own user administration via spreadsheets and manual updates
- Business units are requesting that IT integrate cloud applications with directories for periodic synchronization
- Business units are purchasing their own identity and access management solutions — without consulting IT or considering what IAM infrastructure is already in place
- IT audit processes, such as access certifications, have not been extended to cover cloud applications
A proper identity and access management solution should help enterprises embrace the cloud while at the same time allowing the IT organization to effectively apply centralized security policy, detect violations and demonstrate full regulatory compliance. Successful IAM solutions will allow you to automate compliance and provisioning processes for cloud applications in the same manner as on-premises applications. At the same time, it should provide end users with convenient access to cloud applications and empower them with single sign-on from any device — at work, home or on the go with mobile devices.
Check back for blog #5, Reduce the Cost of Managing Access Change
Visit SailPoint Technologies, Inc. here.
Learn more about PathMaker Group IAM MAP here.
Start With The End In Mind: Blog #3 – Increase Business User Productivity
(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)
Whether you’re using identity management for internal users (employees and contractors) or external users (partners, agents, customers), you want to implement technologies that reduce the burden of accessing business services. Having the right identity and access management strategy can reduce internal costs and improve productivity, but it can also contribute to revenue growth and profitability, as more and more “users” are business partners, agents or customers. As IT becomes more “consumerized,” all types of users expect quick, convenient access. And that access is no longer limited to logging in from a corporate laptop or PC — today’s workers want access anytime, anywhere, via any device. Every minute that a user has to spend retrieving a lost password or having the help desk reset a password is an unproductive minute — and when you multiply the growing number of applications by the amount of time wasted, the high price of inconvenience becomes pretty clear.
“I can’t keep up with the incoming requests for managing user access across the organization. There’s got to be a better way!”
“Our business users have to remember so many passwords, they’re writing them on yellow sticky notes in plain view.”
Here are some questions you should consider as you plan your strategy to ensure your IAM solution delivers convenience and improves user adoption and productivity:
- Do you make it as simple as possible for new users to register and begin using your business services — even if they have no prior relationship with your organization?
- Can users request new access from a self-service tool without having to call the help desk?
- Do you provide simple password reset capabilities for users who have forgotten their username and passwords?
- Do you offer users a streamlined and personalized single sign-on experience for all the applications, regardless of where they are hosted or how employees access them — via a desktop, laptop or mobile device?
- Do you use risk-based authentication to ensure that low-risk transactions are as easy as possible, but high-risk transactions require more assurance?
Check back for blog #4, Manage Access Across On-premises and Cloud Applications
Visit SailPoint Technologies, Inc. here.
Learn more about PathMaker Group IAM MAP here.
Start With The End In Mind: Blog #2 – Speed Delivery of Access to Business Users
Speed Delivery of Access to Business Users
(Source: SailPoint Technologies, Inc. Identity and Access Management Buyer’s Guide)
Given the fast-paced and dynamic environment of business today, IT organizations are challenged to keep up with the demand for identity and access management services, and to do so in a compliant manner. Business users cannot wait days or weeks for access to systems required to perform their job duties. Similarly, organizations cannot tolerate huge gaps in deprovisioning access when a user changes positions or is terminated. Changes to user access must be performed in near-real time, while remaining a controlled and auditable process that is visible to the business. The current state of IAM in most organizations makes it almost impossible to provide consistent and effective service levels to the business due to the following challenges:
- Heavy use of disparate manual access request and change processes
- Lack of end-user participation and visibility into identity management processes
- Ad hoc methods for dealing with external identities and their access rights
- Growing number of cloud-based applications that are managed outside of IT
- Help desk staff that is over-burdened with access request and password resets
What organizations need is an easier, more cost-effective way to deliver access to the business. With the right self-service tools, business users can manage their own access, from requesting new accounts or roles to recovering forgotten passwords, using intuitive, business-friendly interfaces. In addition, today’s user provisioning solutions offer easy-to-configure options for automating the entire access lifecycle of a user based on event triggers from authoritative sources — to minimize the need for manual changes. By providing an integrated approach that leverages business-friendly self-service access request tools and automated lifecycle event triggers, identity and access management can streamline the delivery of user access across your organization while continuously enforcing governance rules and compliance policies. It also empowers business users to become an active participant in the identity and access management process, enabling them to manage their own access and passwords while providing them with full visibility into active requests, thereby reducing the workload on help desk and IT operations teams.
Be sure to read blog #3, Increase User Productivity, about implementing technology that reduces the burden of accessing business services.
Visit SailPoint Technologies, Inc. here.
Learn more about PathMaker Group IAM MAP here.
Start With The End In Mind: Blog #1 – Identify Priorities and Establish Clear Goals
Identify Priorities and Establish Clear Goals
(Source: SailPoint Technologies, Inc. Identity and Access Management Buyer’s Guide)
Identity and access management is a strategic imperative for organizations of all sizes. Companies ranging from large, multi-national enterprises to smaller, fast-growing businesses must address requirements to protect and govern access to critical applications, systems and databases whether in the cloud or on-premises. Identity and access management plays a critical role in enabling organizations to inventory, analyze and understand the access privileges granted to their employees — and to be ready to answer the critical question: “Who has access to what?” At the same time, today’s enterprise demands faster and higher levels of service delivery across an increasingly diverse and dynamic environment:
- There are growing populations of external users, such as partners, agents, and customers, that need access
- New users come on board daily, requiring immediate access to enterprise resources
- Users’ responsibilities change, or their relationships with the enterprise end, and access must quickly be modified or revoked
- Users want fast, convenient access resources anytime, anywhere using smartphones and tablets
- Some applications and users represent a higher level of risk to the organization than others and require more focus
For IT staff, the challenge becomes how to meet service-level demands while identifying and managing high-risk activities, enforcing policy and security, maintaining stringent controls and addressing compliance requirements. Because there are many different business drivers for identity and access management, you may wonder how and when to put the different components of a solution in place. The answer depends on your business priorities and the immediate challenges facing your organization. To get started, step back and assess your most urgent issues. Do you understand what you want your solution to help you achieve? Here are some common business goals that can help you determine your own unique priorities:
- Speed delivery of access to business users
- Increase business user productivity
- Manage access across on-premises and cloud applications
- Reduce the cost of managing access change
- Eliminate audit deficiencies and improve audit performance
- Lower the cost of compliance
- Salvage or replace an existing provisioning system
Be sure to read blog #2, Speed Delivery of Access to Business Users, for more detail about the business drivers for identity management — the goals organizations most frequently hope to achieve with their implementation.
Visit SailPoint Technologies, Inc. here.
Learn more about PathMaker Group IAM MAP here.
Meeting IAM Gaps and Challenges with New Product Offerings
PathMaker Group has been working in the Identity and Access Management space since 2003. We take pride in delivering quality IAM solutions with the best vendor products available. As the vendor landscape changed with mergers and acquisitions, we specialized in the products and vendors that led the market with key capabilities, enterprise scale, reliable customer support and strong partner programs. As the market evolves to address new business problems, regulatory requirements, and emerging technologies, PathMaker Group has continued to expand our vendor relationships to meet these changes. For many customers, the requirements for traditional on premise IAM hasn’t changed. We will continue supporting these needs with products from IBM and Oracle. To meet many of the new challenges, we have added new vendor solutions we believe lead the IAM space in meeting specific requirements. Here are some highlights:
IoT/Consumer Scalability
UnboundID offers a next-generation IAM platform that can be used across multiple large-scale identity scenarios such as retail, Internet of Things or public sector. The UnboundID Data Store delivers unprecedented web scale data storage capabilities to handle billions of identities along with the security, application and device data associated with each profile. The UnboundID Data Broker is designed to manage real-time policy-based decisions according to profile data. The UnboundID Data Sync uses high throughput and low latency to provide real-time data synchronization across organizations, disparate data systems or even on-premise and cloud components. Finally, the UnboundID Analytics Engine gives you the information you need to optimize performance, improve services and meet auditing and SLA requirements.
Identity and Data Governance
SailPoint provides industry leading IAM governance capabilities for both on-premise and cloud-based scenarios. IdentityIQ is Sailpoint’s on-premise governance-based identity and access management solution that delivers a unified approach to compliance, password management and provisioning activities. IdentityNow is a full-featured cloud-based IAM solution that delivers single sign-on, password management, provisioning, and access certification services for cloud, mobile, and on-premises applications. SecurityIQ is Sailpoint’s newest offering that can provide governance for unstructured data as well as assisting with data discovery and classification, permission management and real-time policy monitoring and notifications.
Cloud/SaaS SSO, Privileged Access and EMM
Finally, Centrify provides advanced privileged access management, enterprise mobility management, cloud-based access control for customers across industries and around the world. The Centrify Identity Service provides a Software as a Service (SaaS) product that includes single sign-on, multi-factor authentication, enterprise mobility management as well as seamless application integration. The Centrify Privilege Service provides simple cloud-based control of all of your privileged accounts while providing extremely detailed session monitoring, logging and reporting capabilities. The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure.
With the addition of these three vendors, PMG can help address key gaps in a customer’s IAM capability. To better understand the eight levers of IAM Maturity and where you may have gaps, take a look this blog by our CEO, Keith Squires about the IAM MAP. Please reach out to see how PathMaker Group, using industry-leading products and our tried and true delivery methodology, can help get your company started on the journey to IAM maturity.
