How an Access Management Solution Helps Your Organisation
In the blog post “Why do you need an Identity & Access Management (IAM) solution“, we looked at the challenges organisations without an IAM solution experience: challenges in efficiency and cost reduction, compliance requirements of laws and regulations, and protection against data breaches. The last two blog posts highlighted how (semi-)automated user and authorisation management helps organisations. But how do you provide employees with secure access to your applications without compromising on user-friendliness? And how do you deal with other groups of users who need access to your ICT infrastructure? This blog post delves into how Access Management technology can help your organisation in these three key areas.
In this article
How does an IAM solution help?
In the previous blog posts, we examined IAM technologies such as User Provisioning and Service Automation. Both of these pertain to managing users and authorisations. User Provisioning automates this process entirely, based on a source system. On the other hand, Service Automation could be characterised as semi-automatic as it fills the gaps that are not fully automatable. The third major topic within Identity & Access Management is access management. This is where Access Management comes into play.
Access Management
Access Management simplifies the authentication of users to applications. With an access management solution, users need only log in once in order to access multiple applications. Without such a system, employees need a separate user account for each application. This means that an employee starts their workday by logging in with their Active Directory or Google Workspace account on their laptop or Chromebook. Then they must log in separately to the intranet, followed by the CRM system, and if they want to request leave – you guessed it – they must log in separately for that too. Moreover, you must use a different password for each account in order to keep it secure. This is very inconvenient for the user, and in practice employees often end up using the same login details for different applications. In that case they still have to log in separately, but at least they don’t need a photographic memory to remember all sorts of complex passwords with uppercase, lowercase letters, numbers and special characters. But unfortunately, that approach is also very convenient for hackers. They only need to breach one poorly secured application to subsequently log in to all other applications.
An Access Management solution offers employees, partners and customers simple and secure access to (cloud) applications. This blog post will delve deeper into the various functionalities of Access Management that collectively achieve this goal.
Primaire identity provider
Normally each application requires a separate login. Access Management introduces the concept of a single central login credential for specific user groups, known as the Identity Provider. For employees, these credentials are typically the same as those used to log into their computers, such as a Microsoft (Azure) Active Directory account or a Google Workspace account for Chromebook users. This set of credentials becomes the primary identity provider for employees, allowing them to access company applications (referred to as consuming applications) after logging into that identity provider. The concept of one primary identity provider for employees is now widely used in many organisations. At the same time, employees are increasingly not the only user group requiring access to the ICT infrastructure. Nowadays, customers often need access to certain web applications, and students in schools need to log into their digital learning environments. In these scenarios, CRM systems and student administration systems (SAS) can also serve as logical primary identity providers.
Managing an IT environment with multiple identity providers for various user groups adds complexity. Most consuming applications are designed to support just one identity provider, making it challenging to simultaneously cater to different user groups, such as employees, students or customers, each with their own identity providers. If a consuming application is linked to Azure for employee use, then ideally, other users would also need an account in the same system. In such situations, a robust Access Management solution acts as an ‘adaptor’ between multiple identity providers and the consuming applications. Each user group gains access to the access management system through their respective identity provider, which then facilitates access to their specific ICT resources. Additionally, some organisations may not yet have an effective Identity Provider for their users. In these cases, the Access Management solution can also function as the identity provider, eliminating the need for organisations to invest in expensive licenses solely for login purposes. This approach is particularly popular when granting access to external parties.
Access Portal
With an Access Management solution, each user group can log in using their own method. But you also want to provide your users with an overview of the applications available to them. For this purpose, an Access Management solution offers a central access portal that displays the applications for which the user actually has access rights. Cloud-based Access Management solutions typically include such an access portal. However, many organisations already have their own ‘start portal’ and are not keen on adding an extra user portal. Therefore, an Access Management solution like HelloID can offer the access portal as a standalone feature or seamlessly integrate it as a widget within an existing social intranet or SharePoint Online environment. This integration helps to avoid ‘portal fatigue’ and enhances the user experience by consolidating access to the latest organisational news, company policies and necessary applications in one place.
This portal not only improves user-friendliness, but also enhances information security. As applications increasingly transition from on-premise infrastructure to the cloud, users are tasked with remembering or bookmarking cloud application URLs, instead of using an icon on their desktop. This is inconvenient for users and also poses a phishing risk. Typing errors in URLs or clicking on phishing emails could inadvertently lead users to fraudulent sites mimicking the real applications. A cloud-based desktop environment can greatly mitigate these risks.
Single sign-on
Single sign-on (SSO) functionality allows users to access all their company applications after a single login with their primary account. Most Access Management solutions present a user-friendly portal that neatly lists all (web) applications. With Single sign-on, users simply select an application in the portal, and the Access Management solution takes care of the login process automatically and securely, streamlining access and enhancing security.
Users therefore no longer need to remember dozens of URLs, usernames and passwords. A single login with the primary account is all that is needed. This approach is not only more user-friendly, but also enhances security. It’s pretty much necessary to use distinct passwords for each application for security reasons. This approach prevents cybercriminals from gaining access across the board with just one compromised password. Yet, employees who attempt to use unique login details for every application often struggle to remember all of them. While there are password manager tools, they are not always convenient. As a result, many users resort to either choosing easily guessable passwords or writing them down, leading to security vulnerabilities or a surge in costly helpdesk tickets due to forgotten passwords. Many users have ‘solved’ this by using one set of login details for multiple applications, which introduces its own set of risks. Single sign-on effectively addresses and resolves these password management issues.
Multi-Factor authentication
But is single sign-on really safer? After all, if someone’s main account is hacked, they could still access all applications, right? That is a valid question, but the short answer is that SSO is indeed safer. Consider the analogy of a house: having a standard front door and choosing to lock all internal doors might seem secure, but soon you might find yourself leaving these internal doors unlocked or keeping the keys in them. Convenience tends to overrule security measures. Therefore, it is more effective to focus on fortifying the external doors and windows, similar to how single sign-on secures the primary access point.
This principle also applies to IT access security. Rather than having individual locks on each internal door (each application with its own login), a specialised Access Management solution offers a singular, highly secure ‘front door’ to your IT environment. The provider of this specialised Access Management service ensures that access security remains current and that all unsecured pathways to individual applications are sealed off. However, with just a username and password, we can never guarantee that someone is who they claim to be. Someone could peek over your shoulder to see your password, and through social engineering tricks or brute force attacks, your password could be compromised. This is where multi-factor authentication (MFA) comes into play.
Multi-factor authentication adds one or more additional layers of verification. In addition to something a person knows (the password), this could be something a person has or something a person is. Something a person has could be a phone with an authenticator app, or even Yubikeys, which are now commonly found on many key rings. The system is even safer when requiring biometric data like a fingerprint or an iris scan. By verifying an additional factor besides a username and password, it becomes much more difficult for a hacker to access an account. Of course, this extra verification makes logging in slightly more complex, but as a ‘reward’, logging into all other applications becomes much easier and the overall user experience is significantly improved.
Conditional access
In the past, applications were accessible only from within the company network, and devices on this network were always company property. However, cloud applications can be accessed globally using any device, complicating the task of controlling access to data and documents for IT departments. Conditional access in an access management solution enables organisations to regain control over who accesses what, when and from where.
Conditional access encompasses a collection of policies that specify the conditions under which certain users or user groups can access specific applications. For example, someone might be able to log in to the financial system from the company network during the day without any issues. However, if the same person tries to access it at night via their smartphone, that might be restricted. Each time someone tries to access, the access management solution checks for any applicable access rules. Each rule comprises a condition and an associated action. Here are a couple of examples:
- A simple rule: ‘when the user wants to log into the access portal, they must use multi-factor authentication’
- A more complex rule: ‘when the user wants to log in outside the organisational network and does not hold a management position, they can gain access to the portal with MFA and access their applications via single sign-on. However, if the user then requests access to a financial application, they must authenticate again using an Authenticator app’
In the examples above, the rules depend on the individual’s role, the network used and the application being accessed. Other possible conditions could include the day and time someone logs in or wants to use an application, their location or IP address, or the device or browser being used. You can then combine multiple conditions and possible actions into rules to customise and ensure the security of data in the cloud according to your needs.
Compliance with laws and regulations thanks to an access management solution
Many organisations today aim to be compliant with ISO 27001, the international standard for information security management. Often, this compliance is even a strict requirement for doing business with certain clients. Government organisations and healthcare institutions must also meet the BIO and NEN 7510 standards, respectively, which are based on these ISO 27001 guidelines. Additionally, the GDPR guidelines for the protection of personal information are, of course, mandatory for organisations.
In these information security and privacy guidelines, Identity & Access Management functionality plays a key role. Focusing on Access Management, features like single sign-on, multi-factor authentication and conditional access are crucial in meeting many of these security requirements. The combination of user-friendly and secure access solutions prevents employees from resorting to unsafe workarounds. Moreover, the strength of a central Access Management platform lies in its ability to log all access attempts and other actions centrally. This allows for easy tracking of who accessed which application and when.
Written by:
Arnout van der Vorst
Others also viewed
