As remote work blurs the lines of the traditional “perimeter,” the cloud is becoming the new norm — and, with it, cloud-based applications and access to resources. This is causing data security to be addressed closer to the data origination point; applications are now including data security as an integral part of their structure and functionality rather than treating security as a separate function or add-on.
Nancy Wang, General Manager of Data Protection Services at AWS joined the JumpCloud Product Marketing team in a recent webinar to discuss this shift and its implications for secure onboarding in modern decentralized environments. Wang detailed how traditional data loss protection (DLP) solutions are giving way to DLP measures that are built straight into the applications themselves, giving rise to disciplines like SecOps and AppSec.
This industry-wide movement to close the gap between data and data security is part of a larger shift towards security that can account for remote and hybrid work. One of the most critical components of a successful data security strategy in decentralized environments is Zero Trust.
Establish a Zero Trust Baseline
The rise of data in the workplace and dissolution of the traditional IT perimeter gives hackers a larger attack surface, driving a rise in cyberattacks. This makes it more important than ever for companies to establish reliable security that replaces the old model of the brick-and-mortar perimeter with a software-defined one.
Zero Trust security is the key answer to this challenge and is becoming more mainstream as companies continue migrating towards the cloud and attacks continue rising.
Zero Trust functions by the mantra, “Trust nothing; verify everything.” With Zero Trust, access is never authorized without strong — preferably layered — authentication. In practice, this includes measures like multi-factor authentication (MFA) being applied across the board, conditional access policies determining when to increase and relax restrictions, and devices assigned to users via PKI certificates.
Onboarding Security: Start from the Beginning
With data security becoming a critical factor in a security strategy, it’s important to secure data from its point of origination. Just as app developers are incorporating DLP into in-line proxies, IT admins should be securing user data from the moment it’s created in the onboarding process.
To establish best practices for secure onboarding, we’ll take a look at the challenges legacy onboarding processes pose and how IT teams can solve them.
Time and Manual Labor
It takes IT about an hour to onboard an employee manually (and that’s an ambitious estimate), and that timeframe scales linearly: onboarding a new department of 12 would take 12 hours. A large portion of this time is spent manually creating and provisioning accounts for every application and resource for every employee. This is a serious hindrance for large and scaling organizations, and it distracts from IT’s larger, more pressing strategic initiatives.
Manual onboarding without provisioning protocols like SCIM and SAML JIT are prone to error. Often, these errors can be hard to catch and solve, and incorrectly provisioned resources related to identity can create long-lasting problems. For example, if an account was set up with an incorrectly spelled username, teams may not be able to recover the misspelled username and create an additional account without closing out the first misspelled account. Issues like these can hinder productivity, muddy reporting, and create security vulnerabilities.
In addition to setting up an employee’s digital resources, there’s the task of setting up the employee’s device(s). When onboarding in the office, this usually means ordering the device ahead of time and configuring and provisioning it for the employee when they arrive.
While this process may be fairly straightforward, it grows cumbersome when it comes to onboarding several employees at once, and remote offices only exacerbate the problems. In the office, organizations usually often end up storing a stack of new laptops in a storage closet, and remotely, IT admins typically have to keep them somewhere in their house until they’re configured and then coordinate the shipping to each employee. These situations leave the devices at risk and add several onboarding steps that have the potential to cause a bottleneck or breakdown in the process.
Creating a Positive Experience
These logistical and laborious elements of the onboarding process could put a damper on the experience for both IT teams and new employees — especially if something goes awry. However, the onboarding experience is a critical influencer on performance and retention: a positive onboarding experience can increase employee retention by 82% and productivity by 70%. Similarly, equipping your IT team with the tools they need to facilitate onboarding quickly and easily will reduce their manual workload, free them up to work on more strategic tasks, and help prevent burnout.
Because the onboarding experience is so critical, organizations are starting to develop ways to automate the process.
The rise of data security tightly integrating with remote work is making it possible for IT teams to streamline, secure, and automate a majority of the onboarding process.
Take single sign-on (SSO), for example. SSO uses authentication protocols like SAML 2.0, LDAP, and OAuth to secure connections between the user and their applications, authenticating and authorizing them under one set of credentials. These protocols offer built-in security that’s much more reliable than a username/password combination, and only requiring each user to remember one set of credentials reduces the risk of password compromise.
Further, some SSO solutions and apps also allow for Just-In-Time (JIT) provisioning, which automatically provisions the user an account the first time they access the resource, bypassing IT’s need to manually provision them an account. For large or scaling organizations, this can result in significant time saved while increasing password security and improving the user experience.
Additionally, the vast majority of manual onboarding tasks are identity-based. As the business world migrates to the cloud, a similar shift from the on-prem directory to a cloud-based directory service is meeting the needs of this new cloud-centric business model. Cloud directories are better equipped to securely centralize and store user data than their on-prem counterparts, like Microsoft Active Directory. With a cloud directory platform like JumpCloud, for example, organizations can manage all of a user’s identity-based data, from RADIUS access to the central network to cloud-based applications and data stored in an HR portal, in one place. It even offers automatic user creation and provisioning within the directory when you add the user to a compatible HR platform.
All this consolidates and secures the onboarding process to deliver a secure, streamlined, and positive onboarding to users and IT teams alike.
Automating Device Onboarding with Zero Touch
This automation can extend to devices to solve the problem of stacks of valuable equipment sitting in an office closet or IT admin’s garage. Mobile Device Management (MDM) platforms can “image” new machines remotely to prevent the IT admin from needing to configure the device in person. Instead, they can install firewalls and VPNs and turn on disk encryption remotely, and have new laptops drop-shipped directly to the new user’s house. Look for a cloud directory platform that enables Zero-Touch enrollment, so you can automatically configure users and their devices seamlessly and remotely.
These benefits don’t stop at onboarding. They persist throughout the user lifecycle, providing intrinsically secure access to resources and facilitating a quick and clean offboarding when an employee leaves.
Just as SSO allows IT to automatically provision accounts to employees, it also allows IT teams to offboard employees just as easily — no more awkward shuffling to deprovision an employee quickly while getting the timing just right. With SSO, you can deprovision all their applications at once. Better yet, when managed in a cloud directory platform, you can deprovision them from everything, from applications to file-sharing to the company network, by simply removing them from the directory.
Balancing Security with the User Experience
When boiled down, most companies’ ultimate goals are generating revenue and success in the marketplace — which can’t happen without fostering employee productivity. The best security measures are those that appropriately balance tight, reliable security with a seamless experience that empowers employees instead of slowing them down. Fortunately, as security solutions improve, it’s becoming possible to achieve the best of both worlds without compromising much on either side of the scale.
Conditional access, for example, allows IT admins to configure systems to heighten or relax security restrictions based on parameters they set. For example, an IT administrator could configure their cloud platform to require MFA or deny anyone access to the central network from unsecured WiFi. They could also allow users to bypass MFA when logging on from their assigned device (verified via PKI key) and from an adequately secured network (like their home office).
With these configurations, the user experience is fairly frictionless; the employee could log onto their computer with their known set of credentials (or fingerprint or other approved factor), bypass MFA, and get straight to work every day when they’re in the office or working from home. They might experience occasional friction when they try to log on at an airport or coffee shop; however, added friction in high-risk scenarios such as these is warranted, and is generally a sign of a strong security program.
More and more companies are finding that a core directory platform in the cloud is the answer to striking the perfect balance between security and friction — for both IT admins and users. A cloud-based directory platform can store detailed data about user permissions, security settings, activity, and other insights, and it draws on that information to intelligently and securely extend access to all the IT resources a user needs without overstepping permission restrictions.
JumpCloud is the leading cloud directory platform for managing everything from cross-OS devices to users’ access to cloud and on-prem resources. It integrates seamlessly with AWS, another leading cloud computing platform, to help companies create a comprehensive, seamless, and intelligent onboarding and offboarding process. Let’s take a look at one of the most useful and common integrations for improving onboarding and offboarding.
Onboarding Hack: AWS Group Management Integration with JumpCloud
As one of the most popular cloud platforms on the market, AWS is a common tool used for onboarding, and our recent webinar covered some of the AWS features that help streamline and automate the process.
Two of the most notable features for improving onboarding and offboarding in AWS are its user groups and SSO. AWS enables IT administrators to set up groups that prescribe access privileges, so when you add a user to a group, they’re automatically provisioned to all the AWS resources prescribed to that group. Further, with SSO, they can immediately sign into all their provisioned AWS applications with one click. Just as easily, IT administrators can revoke access to provisioned resources by removing a user from a group or from the AWS platform altogether.
While AWS provides robust SSO and IAM services, it doesn’t extend to user management outside of AWS. Fortunately, AWS integrates seamlessly with JumpCloud, which is a popular option for many companies working with AWS and looking for a more extensive IAM solution. As a complete cloud directory service, JumpCloud also offers SSO and user groups that facilitates users access to all the IT resources they need, both in the cloud and on premises.
Watch the Full Webinar
As businesses adopt cloud-centric models to support remote and hybrid workforces, security needs to integrate with data creation — and that includes onboarding. To truly foster a cloud environment that enables secure, seamless onboarding, businesses need to look toward a cloud directory service like JumpCloud. To learn more about JumpCloud’s secure onboarding and offboarding services, watch the full webinar: Integrating Data Security Into the IT Onboarding Journey.