The IT Guide to Identity Management 2019
Identities have quietly become the most critical digital assets in the modern era. And whether management knows it or not, many of the most crucial conversations they have with IT are really conversations about identities.
Want better security?
If hackers steal your company’s identities, they steal the very core of your business. This fear would keep any IT team up at night, especially since the average cost of a data breach is $3.86 million.
How about more efficiency?
Wouldn’t it be nice if with just one click, you could grant and revoke access to the myriad of resources your employee needs? This would allow your team to focus on building and strengthening your business.
A fast-moving, efficient, secure business orbits around successfully managing your team’s identities – and it always has. But today, there are more high quality IT resources to connect to than ever before. This is contributing to a fundamental shift in the Identity and Access Management Market (IAM). If you’re not keeping up, then you’re putting your company at risk of breaches, loss of productivity, and falling behind the competition.
Don’t want that to happen? You’ve come to the right place.
This guide doesn’t just show how the Identity and Access Management landscape is shifting. It shows you how to shift along with it. There’s a brave new world of IAM – and you can use it to your advantage to move your business forward even faster and more efficiently.
PART I: Overview
The New Identity
Let’s start by taking a look at everything IT is supposed to provision access to in the modern era:
For years, IT has tried to use existing identity management systems to manage this jumble of new IT resources, even though that means a proliferation of unmanaged identities. The “identity crisis” has been simmering for a decade now, and it’s about to reach a boil. IT admins around the world are getting overwhelmed and fed up.
Here’s the good news. When a problem gets big enough, people have to stop ignoring it. In the last few years, there have been some concerted efforts to create better identity management solutions for the enterprise.
We are on the brink of an identity revolution – and if you take advantage of it now, you won’t just make life easier for everyone in the IT department, you’ll get a leg up on the competition because your entire team will be more productive – and secure.
Categories of the Identity and Access Market
Directory services connect users to the IT resources they need. As the core user store, a directory is the foundation of any IAM program. There are two primary classifications of directories: on-prem (Microsoft® Active Directory®) and cloud-based (JumpCloud® Directory-as-a-Service®).
Since conventional on-prem directories are ill-equipped to manage many of today’s resources (e.g. Mac®, Linux®, SaaS, IaaS) a whole category of solutions has been created to extend credentials to other platforms and other locations.
Single sign-on solutions strive to consolidate the plethora of web application accounts and resources in use into one login process via the web browser. This category is also known as first generation IDaaS (Identity-as-a-Service).
Privileged Account Management
Privileged account management sprung up to improve security to critical systems like databases and network infrastructure. These IAM systems enhance access controls by including the ability to manage systems and tightly control access to high value IT resources.
End users need to remember so many passwords that a category of solutions has emerged to help. These solutions utilize a password vault that stores the passwords to your web sites.
Multi-Factor Authentication (MFA or 2FA)
Passwords are an imperfect form of identity protection. To prevent the breach of high-value resources, a second method of authentication is essential. A solid identity management solution should have MFA options available for both systems and applications.
What’s in your IAM Strategy?
(Check the boxes to see how your organization adds up)
|Centralized Management||Multi-Factor Authentication|
|Single Sign-On||Password Complexity Managment|
|Manage by Groups Requirements||Secure Passwords (i.e. not clear text or encrypted)|
|Compatible with Windows, Mac, & Linux||Uses Core Protocols such as LDAP, SAML, RADIUS, SSH, REST|
|Extensible to the Cloud||Automated Provisioning and Deprovisioning|
|Cross-platform System Management||SSH Key Management|
|Unique WiFi credentials for each user||IAM Platform utilizes best security practices|
How does your current IAM strategy measure up on this checklist?
If you’re in this range, then your IAM strategy is actively hurting your company’s efficiency and security. You probably either don’t have an identity provider or you need to scrap your existing one. Giving your IAM strategy a makeover should be your top priority.
You’re keeping your head above water, but you’re not able to think about the future. Your IAM is either causing lapses in security or incompatibility with critical resources. Survey your needs and consider making a major change.
If you scored in this range, that means your IAM is serving you well. Still, all it takes is one missing plate in your armor for a hacker to deal a costly strike. Keep reading to find ways to address your IAM’s shortcomings.
Give yourself a pat on the back. You’ve already got a high-functioning IAM. Focus your efforts on staying ahead of the curve and being prepared for the changes coming in the identity market.
In modern times with all that we know about identity security, there’s no excuse for a company’s IAM strategy not to be scoring in the ‘Excellent’ range. That said, there are a host of good reasons why it probably isn’t. We’ll get into that in the next section.
PART II: Challenges
Challenge 1 : Vulnerable Identities
Weak or stolen credentials were used in 81% of hacking related breaches.
Everyone likes to say, “It will never happen to me.”
However, 58% of data breach victims last year were small businesses.
Clearly, greater security and stronger authentication is paramount for every organization, large or small. These are some steps you can take to fortify your identities:
- Enforce strong identity controls, including strict password requirements
- Require multi-factor authentication on devices and applications
- Train employees to use strong, unique passwords
- Encourage users to implement a password manager
We’ll discuss these steps in greater detail in the third section, ‘Solutions’.
Challenge 2: Identity Sprawl
Think about all of the accounts and passwords the average person has today: email, social media, banking, and on and on. The average internet user has a whopping 150 online accounts – and growing.
Identity Sprawl Decreases Security
Identity sprawl creates a chaotic environment that is difficult to secure. When an employee leaves, instead of being able to de-provision access to all resources with one click, IT must be meticulous and de-provision access individually for each resource. One mistake, one little oversight, and someone has access who shouldn’t.
To hackers, identity sprawl looks a lot like opportunity.
People average 150 accounts, but only 5 passwords.
So when a third-party hack happens (e.g. LinkedIn, Sony, Target, eBay, Equifax), the passwords for internal accounts are often compromised as well. But, IT has no way of knowing because it exists entirely out of their purview.
Decentralized Identities Reduces Efficiency
At the user level, identity sprawl leads to more time logging in and password reuse (and ringing the help desk when they inevitably can’t remember what password goes to what account). LastPass even discovered that the average user ends up wasting 36 minutes a month, just on typing passwords.
On the admin side, it’s even worse. IT loses centralized control. They make a change in the central user directory, and it ends up propagating to only some IT resources. This requires that the admin keep track of which resources require separate control.
The solution is to consolidate identities, but our next challenge, legacy IAM solutions, is a major roadblock toward that goal.
Challenge 3: Legacy Identity Management Solutions
Microsoft Active Directory has served valiantly as the core identity provider since its release with Windows® 2000. It earned an early stranglehold on the market and is still in place, commanding 95% of Fortune 1000 companies. But a lot has changed since 1999.
In fact, the dominance of Microsoft AD is the single biggest reason for identity sprawl. AD doesn’t effectively manage devices that don’t run Windows – and the number of Mac and Linux devices has been on the uptick year after year.
Active Directory is also poorly equipped to authenticate SaaS-based identities and other cloud resources. The result is a multiplicity of unmanaged identities. So identity sprawl is stemming directly from companies where the IT department’s hands are tied because they still have to use AD.
The other major legacy directory in place in companies is OpenLDAP™. LDAP is better with Linux and Unix systems than AD, but it has the same difficulties managing cloud infrastructure. Furthermore, OpenLDAP is partial to LDAP (go figure), and so other ascendent protocols like SAML, OAuth, and the re-emergence of RADIUS are out of reach. Same with the ability to manage systems.
Ultimately, as long as these these legacy systems continue to lock companies into their identity management solutions, IT will be unable to keep up with the changing identity landscape.
Challenge 4: Shadow IT
Shadow IT refers to systems and solutions implemented inside organizations without the IT department’s knowledge or approval.
Shadow IT is:
Shadow IT is often 10X more prevalent than expected.*
By 2020, 30% of attacks will be a result of shadow IT.*
Shadow IT accounts for 30%-50% of IT spending.*
Shadow IT leads to gaps in security, chaotic workflows, and a proliferation of unmanaged identities. But that’s not the worst part.
The worst part of Shadow IT is that it is not connected to the core directory structure. Many IT admins have no idea how to connect all of these newly implemented devices, applications, file servers, and networks back to their core directory.
Chief Strategy Officer, JumpCloud
In other words, Shadow IT is a major factor contributing to the “identity crisis” that IT faces today. Whether its for collaboration, communication, or the transfer of files, Shadow IT means more unmanaged identities.
Ultimately, you likely can’t eliminate Shadow IT altogether. The approach must be two-fold:
- Train employees about Shadow IT, discouraging risky behavior
- Eliminate the need for Shadow IT by improving your IT infrastructure to better accommodate and manage the types of apps and IT resources that are likely to be implemented by rogue innovators
Challenge 5: Vendor Lock-In
The market to manage your identities has never been so competitive. As a result, one of the more subtle factors working against identity management is vendor lock-in. This refers to all of the companies that are trying to woo enterprises into using their platforms (often for free) so that you become dependent on their services. Eventually, this means they can lock you into paying for their other services. As Techbeacon put it, “[Once you’re locked in,] it can be hard to port to another vendor’s platform without considerable effort and cost”.
Where I come from, this is known as “the long con.”
Microsoft, Google, Amazon® …they all know that if they lock up your corporate identities now that you’ll be beholden to them later. These are savvy businesses. Why do you think that they offer so many valuable services for free?
For them, storing your identities (on their infrastructure) means additional revenue elsewhere. For Microsoft, it’s Windows, O365, and Azure. For Google, it’s their G Suite, Chrome/Android, and Google Cloud Platform. For Amazon, it’s AWS and buying goods and services. Often, it is a good a deal for businesses. Who doesn’t like to receive valuable services for free? But being naive about it is a recipe for disaster.
Why? Because they want you to do things their way. Microsoft wants you to use Windows systems. Google wants you to be part of their expansive Google ecosystem and eventually pay for their premium services, such as G Suite. Amazon doesn’t want you to implement any virtual infrastructure apart from AWS.
So naturally they design their infrastructures to be funnels – funnels that eventually guide you to paying for their services and excluding alternatives.
Don’t be a pawn in another player’s game. Understand that your identities are perceived as long-term corporate assets and protect them.
PART III: Solutions
Solution 1: Strengthen Security
Enterprise security once meant installing anti-virus software and a firewall. It used to be that easy. Today, security is at least five layers deep, as shown here:
Network Security: firewalls, intrusion detection/ prevention solutions, VPNs, and others.
Device Security: servers, desktops, and laptops.
Application Security: internal and web applications.
Data Security: data at rest and in flight
Identity Security: the core of enterprise security.
Each layer is integral, but identity security is fundamental. That’s because if a hacker can get credentials, then the rest of the security measures can be bypassed. At that point, the hacker is already “inside” and can do as they please. The good news is that there are four steps you can take to significantly bolster identity security.
Require Multi-Factor Authentication
Conventional passwords no longer cut it. Employees are prone to using the same password across multiple sites, and prone to ignoring best password practices. Even if passwords are long and complex, there’s still the possibility of them being stored in insecure ways.
MFA is an easy way to give some extra peace of mind over your business. With MFA, the standard password is supplemented with another form of authentication, be it a code sent to your phone, a fingerprint, or a retinal print.
This doesn’t make it twice as difficult for hackers. It makes it exponentially more difficult. They not only need something you know, but also something you have. In fact, 80% of breaches could have been prevented if MFA were implemented.
Enforce Password Requirements
A high-end computer can now crack an eight-character password in 5.5 hours.
Luckily, IT has the ability to implement password requirements. Most experts recommend enforcing a 12 character password requirement. At JumpCloud, we recommend at least 16 characters, and ideally, end users would use a randomly generated password that’s even longer.
Factors to Consider for Password Complexity
- Set length of password
- Uppercase and lowercase requirements
- Number requirements
- Special charactersPassword reuse
Complexity clearly plays a vital role in password security. You can train your employees to make passwords of this length, but people are just people and they are inevitably beset by “password fatigue”. For example, a report from LastPass found that 61% of employees reuse passwords despite 91% of them knowing better. So, encourage your users to leverage a password manager to ensure that passwords meet stringent complexity requirements and increased length.
Utilize One-Way Hashing and Salting
However you store your identities, they should be one-way hashed and salted. This makes it very difficult for credentials to be decrypted. The best identity stores in the world will use this method of storing credentials.
Implement Regular Security Training
Identities are intrinsically linked to user behavior. When everyone on the team understands the dangers associated with identity sprawl, then everyone is invested in eliminating it and keeping the company secure.
Solution 3: Leverage Cloud Directory Services
Cloud-based directory services have been built from the ground up to manage identities and resources across the cloud and on-prem. G Suite? Check. WiFi networks? Check. AWS, Salesforce, Slack, GitHub and more? Check, check, check, and check.
JumpCloud Directory-as-a-Service (DaaS) integrates seamlessly across on-prem and cloud-based IT resources. One identity can now traverse the plethora of different apps, systems, files, and infrastructure that modern business requires.
Cloud-based directory services offer True Single Sign-On™ for the first time in the modern era.
PART IV: Discovering Your True Identity
When people look back on the trajectory of the Identity and Access Market decades from now, they’ll see 2018-2019 as an inflection point – the moment when identities stopped proliferating out endlessly and began to consolidate back in. The future of identities is simpler, more efficient, and more secure.
The future of identities is in the cloud. As more and more resources move to the cloud, there’s no way around the fact that it is the most efficient way to manage identities.
But what about security? It may seem that the cloud is an easy target, but with correct security practices applied to the cloud, the opposite is in fact true. In March 2018 Gartner reported, “In 2018, the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures. Through 2020, public cloud infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centers.”
So move forward into the new world of Cloud Identity Management with confidence. High costs and insufficient management are in the rear-view. Better security and True SSO lie ahead.
JumpCloud® Directory-as-a-Service® is Active Directory® and LDAP reimagined. JumpCloud securely manages and connects your users to their systems, applications, files, and networks. Try JumpCloud’s cloud-based directory at jumpcloud.com or contact us at 855.212.3122.