As the world of work shifts dramatically in light of current events, IT organizations need to evaluate the role an employee’s system plays in how that person accesses their resources. The concept of System-as-a-Gateway is starting to define how modern IT organizations operate.
What is System-as-a-Gateway?
With a System-as-a-Gateway model, an employee’s device acts as the conduit to the rest of their IT resources, and as such should be tightly managed and secured. After all, access to WiFi, applications, infrastructure, etc. all start with the system, so it makes sense that IT admins should focus on it as the crux of their end users’ workflow.
Because end users need seamless access to these resources through their system, IT admins need to be sure that end user identities aren’t limited to any particular platform, protocol, provider, or even location of a specific resource. In order to truly achieve a System-as-a-Gateway experience, IT admins need an identity provider that’s as flexible as the resources their end users leverage. More on that in a second.
System-as-a-Gateway with Zero Trust
System-as-a-Gateway, as a concept, embodies a zero trust security model. With a zero trust model, IT organizations need to ensure that they have measures in place to secure their resources because no user or system can be inherently trusted.
After all, a set of credentials may be compromised due to phishing or an insider may want to leverage their position to do damage to a company. If granted unrestricted access to a system, its settings, and the resources it can access, these bad actors would have free reign over an organization’s critical infrastructure and data.
So, by adopting a System-as-a-Gateway approach, IT admins can head off attacks before they happen, even going so far as to block potential phishing attempts. To do so, IT admins need to be vigilant of how, where, and when a system is being accessed, and subsequently limit the resources it can provide access to.
Some key zero trust security measures include:
- System-based Password Management: By allowing end users to control their passwords through their systems, IT admins put distance between their organization and phony emails and web pages attempting to phish them.
- System Policies: In order to keep the system as safe as possible, IT organizations need to enforce fleet-wide security settings to all devices. These range anywhere from full disk encryption to screen lock timeout durations.
- Principle of Least Privilege: Users can only leverage the minimum amount of allowed resources that their position dictates (i.e. application settings, network VLAN segments) through their system.
- Adaptive Access: Wherever they find themselves, end users are securely able to access their resources, but admins also have the ability to limit access based on location (IP blocking) to reduce attacks from bad actors.
- Multi-factor Authentication (MFA): Additional factors required to access a system or other resource beyond the standard set of credentials. Decreases attack vectors significantly by denying brute force and ensuring that only a known entity has access, even if the right credentials are used to authenticate (could be phished or otherwise compromised)
In order to properly enforce these and other security measures, IT admins need proper tooling that starts at the device level and propagates out to other resources. Contrary to popular belief, System-as-a-Gateway tooling existed before the current era of IT.
System-as-a-Gateway was first embodied by the traditional directory service, Active Directory (AD). In an AD environment, an end user logs in once to their Windows device and then is granted access to all of their Windows resources, networks, apps, etc. In this way, the system served as the first and only touchpoint an end user needed to be able to do their work. IT admins then applied group policy objects (GPOs) via AD to lock down Windows systems through security settings applied at scale.
With the advent of modern IT resources, however, the traditional AD method of identity management has broken down. SaaS apps and infrastructure, Mac and Linux devices, and other innovations fall outside of AD’s domain. Since they fall outside of the domain, access to these resources is inherently less secure than ones that are directly under IT’s control.
System-as-a-Gateway with Directory-as-a-Service
With a cloud directory service, or Directory-as-a-Service, any system — Windows, Mac, or Linux — is a hub to access virtually all other IT resources. End users can utilize their system to change their single set of credentials, which like AD applies outward to all of their resources, providing both security and convenience. Using Directory-as-a-Service, IT organizations can apply security settings at scale akin to AD’s GPOs, except unlike GPOs, these Policies apply to Windows, Mac, and Linux.
Then, admins can apply least-privilege access controls to the system and its users’ identities. Directory-as-a-Service authenticates to virtually all resources, cloud and on-prem, so IT admins simply need to choose which resources a user or group has access to, and then limit said access to the minimum required extent.
To cap off the System-as-a-Gateway experience, IT admins using Directory-as-a-Service can enforce MFA at the system level, as well as other resources like applications and VPNs. All of these capabilities are available remotely through a single, cloud-based admin console.
If you’re interested in the security benefits of a System-as-a-Gateway identity management model, consider Directory-as-a-Service as your all in one identity and access management solution. You can learn more about how Directory-as-a-Service can secure your workforce, even if it’s fully remote, in this blog.