As experts in IAM, we like to think that we’re a little bit ahead of the curve on the leading trends and top solutions quality Identity and Access Management. Below, we’ll give you a quick overview of the IAM market and then dive into three solutions that are making life better for savvy IT admins: Google Apps, MFA, and True SSO.
Note: if you want to skip this blog post and jump straight to a more in-depth resource, we’re now offering our 2016 IT Guide to Identity Management for free.
Quick Overview of Identity & Access Management
As the core store of all identities, your directory is the foundation of any IAM strategy. We offer a comparison between Active Directory, LDAP, and DaaS which explains the strengths and weaknesses each.
The middle of the pyramid are ways of extending and improving your ability to manage access more securely and efficiently across the wide variety of IT resources in use today. These are especially necessary if your still implementing Microsoft AD or another on-premises directory.
MFA (Multi-Factor Authentication) caps everything off. MFA is the most essential security solution you can implement for your IAM in 2016. By adding another token of authentication in addition to a password, you improve the security of your user credentials by orders of magnitude. If you don’t have MFA for your enterprise, get it.
Leverage SaaS Identities like Google Apps & Office 365
At a lot of organizations, every single employee has a Google Apps identity. They use it for email and for productivity apps, but it exists separately from their core identity that’s stored in the company directory. It wouldn’t be a big deal if Google Apps was the only app in use, but add in SalesForce, Slack, and a plethora of other apps and you’re facing something that we call “Identity Sprawl.”
Identity Sprawl isn’t just chaotic and inefficient. It can actually be a serious security risk because so many of these identities exist outside of IT’s purview. If there is a breach of a third party identity, there’s no way for an admin to know until it’s too late.
We’ve talked to so many IT admins over the last couple years who have told us something to the effect of, “I wish that we could unify all of our user’s identities into one Google Apps identity, managed through our central user store.”
But it hasn’t been practical to use Google Apps identities as your core identities because Google Apps was never built to be a directory and it has several key deficiencies in that regard:
- No centralized control over all identities
- No grouping functionality
- Lack of automation
- Not security compliant
But shouldn’t there be a way to turn Google Apps into a full-fledged directory? Now there is. Directory-as-a-Service can sync with Google Apps, automatically importing all Google Apps users into a highly-secure, robustly featured directory that functions across your entire IT infrastructure. When you make a change within the DaaS’s central control panel, the changes are automatically propagated across Google Apps users – and that includes automated processes and managing users by groups.
The same is possible with Office 365 and DaaS.
The benefits of this approach are many. SaaS directories are exceptionally effective on the cloud while requiring little investment and maintenance from IT departments. This is especially effective for startups that don’t have an existing directory, but we’re seeing more organizations transitioning from a traditional on-premises directory like Microsoft AD to a SaaS-based model.
Improve IAM Security with MFA & Automatic Password Rotation
Enterprise security has grown-up a lot in the last decade. It no longer means installing anti-virus software, putting up a firewall, and calling it a day.
Now it’s useful to think of security in five layers, with identity security at the core.
Why is Identity Security at the core? Networks, devices, applications, and data are all important to secure. But when an identity is compromised, it can be used to bypass all of the other security measures that you have taken.
So how do we improve the security of our identities?
We’ve already talked about the single best method above: Multi-Factor Authentication, or MFA.
Why is MFA so effective? It’s because MFA generally requires two very different types of credential tokens – and the type of criminal who can obtain one of them generally has a very difficult time obtaining the other.
Most MFA authenticates once with something the user knows (e.g. a password) and again with something that the user has (e.g. a laptop, mobile device, card reader, or USB token). These are called Knowledge Factors and Possession Factors.
Let’s say that there’s a superpowered cyber hacker on the other side of the globe and she has just obtained one of your user’s credentials. Without MFA, the hacker would have access to sensitive IT resources that could defame your organization. But with an MFA system that requires authentication through a device owned by the user, the hacker would also have to have stolen that device in order to log in to the user’s account.
Alternately, a petty thief could steal your CEO’s laptop from Starbucks, but they could spend all day trying to guess at the password to know avail.
Additional methods to improve identity security:
- Establish stringent password requirements (this can be automated)
- Require password rotation through a password manager
- Store all identities with one-way hashing and salting
- Train (and retrain) your employees regularly on best security practices
Maximize Efficiency with True Single Sign-On
I could tell you the meaning of Single Sign-On (SSO), but I could also tell you that ‘Single Sign-On’ is a term that has become meaningless.
Why is that? It’s because most supposed Single Sign-On providers, when employed to their fullest, still require multiple logins from their users on any given day at work.
What’s happened is that the modern office has become so decentralized – with IT resources spanning across the cloud and users working on different types of devices in different locations – that it has become nearly impossible for any SSO provider to actually cover all of it.
So when you hear “Single Sign-On,” it probably actually means “Single Sign-On Across One Sector of Resources.” I guess SSOAOSR doesn’t have the same ring to it.
It’s not really the SSO provider’s fault. The reason that they’re not able to achieve what we’ll call True Single Sign-On (when one login really does authenticate access across all resources in use at an enterprise) is because access is regulated so much at the directory level.
If you don’t have a directory that can authenticate access across all of your IT resources, then good luck ever achieving True SSO. One protocol isn’t enough (most SSO solutions employ SAML). A True SSO solution should support LDAP, RADIUS, and REST APIs (just to name a few).
Again, this is finally possible thanks to Directory-as-a-Service. JumpCloud’s DaaS supports LDAP, RADIUS, SAML, REST APIs, and more – working equally well across the cloud as on premises. With DaaS, organizations finally get a directory that has been designed from the ground up for the current, decentralized IT environment.
Identity Management Solutions that Work
Move forward into the new world of IAM with confidence. High costs and insufficient management are in the rear-view. Better security and true SSO lie ahead.
Here are some resources for further reading on MFA, SSO, and Google Apps / Office 365:
- The IT Guide to Identity Management 2016
- How to Enable Multi-Factor Authentication (MFA)
- Google Apps Directory Integration
- Office 365 Directory Integration
- How to Achieve True SSO
If you’re interested in JumpCloud’s DaaS, we offer a free account for your first ten users.