The IT Guide to Identity Management 2019

Identities have quietly become the most critical digital assets in the modern era. And whether management knows it or not, many of the most crucial conversations they have with IT are really conversations about identities.

Want better security?

If hackers steal your company’s identities, they steal the very core of your business. This fear would keep any IT team up at night, especially since the average cost of a data breach is $3.86 million.

How about more efficiency?

Wouldn’t it be nice if with just one click, you could grant and revoke access to the myriad of resources your employee needs? This would allow your team to focus on building and strengthening your business.

purple-magnifying-glass
endpoint management with JumpCloud

A fast-moving, efficient, secure business orbits around successfully managing your team’s identities – and it always has. But today, there are more high quality IT resources to connect to than ever before. This is contributing to a fundamental shift in the Identity and Access Management Market (IAM). If you’re not keeping up, then you’re putting your company at risk of breaches, loss of productivity, and falling behind the competition.

Don’t want that to happen? You’ve come to the right place.

This guide doesn’t just show how the Identity and Access Management landscape is shifting. It shows you how to shift along with it. There’s a brave new world of IAM – and you can use it to your advantage to move your business forward even faster and more efficiently.

PART I: Overview

The New Identity

Let’s start by taking a look at everything IT is supposed to provision access to in the modern era:

Internal Apps

Developed in-house and stored on-prem

WiFi

The all-important Internet

Third Party Apps (SaaS)

E.g. Salesforce, G Suite™, O365™, GitHub, Slack

Documents/Files

Texts, spreadsheets, pdfs, and reports

Cloud Infrastructure

Cloud servers from AWS®, Azure®, and GCP™

Systems

Windows®, Mac®, and Linux® Systems

For years, IT has tried to use existing identity management systems to manage this jumble of new IT resources, even though that means a proliferation of unmanaged identities. The “identity crisis” has been simmering for a decade now, and it’s about to reach a boil. IT admins around the world are getting overwhelmed and fed up.

Here’s the good news. When a problem gets big enough, people have to stop ignoring it. In the last few years, there have been some concerted efforts to create better identity management solutions for the enterprise.

We are on the brink of an identity revolution – and if you take advantage of it now, you won’t just make life easier for everyone in the IT department, you’ll get a leg up on the competition because your entire team will be more productive – and secure.

Categories of the Identity and Access Market

Directory

Directory

Directory services connect users to the IT resources they need. As the core user store, a directory is the foundation of any IAM program. There are two primary classifications of directories: on-prem (Microsoft® Active Directory®) and cloud-based (JumpCloud® Directory-as-a-Service®).

Directory Extension

Directory Extension

Since conventional on-prem directories are ill-equipped to manage many of today’s resources (e.g. Mac®, Linux®, SaaS, IaaS) a whole category of solutions has been created to extend credentials to other platforms and other locations.

Single Sign-On

Single Sign-On

Single sign-on solutions strive to consolidate the plethora of web application accounts and resources in use into one login process via the web browser. This category is also known as first generation IDaaS (Identity-as-a-Service).

Privileged Account Management

Privileged Account Management

Privileged account management sprung up to improve security to critical systems like databases and network infrastructure. These IAM systems enhance access controls by including the ability to manage systems and tightly control access to high value IT resources.

Password Managers/Vaults

Password Managers/Vaults

End users need to remember so many passwords that a category of solutions has emerged to help. These solutions utilize a password vault that stores the passwords to your web sites.

Multi-Factor Authentication (MFA or 2FA)

Multi-Factor Authentication (MFA or 2FA)

Passwords are an imperfect form of identity protection. To prevent the breach of high-value resources, a second method of authentication is essential. A solid identity management solution should have MFA options available for both systems and applications.

What’s in your IAM Strategy?

(Check the boxes to see how your organization adds up)

Centralized Management Multi-Factor Authentication
Single Sign-On Password Complexity Managment
Manage by Groups Requirements Secure Passwords (i.e. not clear text or encrypted)
Compatible with Windows, Mac, & Linux Uses Core Protocols such as LDAP, SAML, RADIUS, SSH, REST
Extensible to the Cloud Automated Provisioning and Deprovisioning
Cross-platform System Management SSH Key Management
Unique WiFi credentials for each user IAM Platform utilizes best security practices

How does your current IAM strategy measure up on this checklist?


Score:


Scoring

  • Poor (0-5)

    If you’re in this range, then your IAM strategy is actively hurting your company’s efficiency and security. You probably either don’t have an identity provider or you need to scrap your existing one. Giving your IAM strategy a makeover should be your top priority.

  • Fair (6-8)

    You’re keeping your head above water, but you’re not able to think about the future. Your IAM is either causing lapses in security or incompatibility with critical resources. Survey your needs and consider making a major change.

  • Good (9-11)

    If you scored in this range, that means your IAM is serving you well. Still, all it takes is one missing plate in your armor for a hacker to deal a costly strike. Keep reading to find ways to address your IAM’s shortcomings.

  • Excellent (12-14)

    Give yourself a pat on the back. You’ve already got a high-functioning IAM. Focus your efforts on staying ahead of the curve and being prepared for the changes coming in the identity market.

In modern times with all that we know about identity security, there’s no excuse for a company’s IAM strategy not to be scoring in the ‘Excellent’ range. That said, there are a host of good reasons why it probably isn’t. We’ll get into that in the next section.

PART II: Challenges

Challenge 1 : Vulnerable Identities

Weak or stolen credentials were used in 81% of hacking related breaches.

Everyone likes to say, “It will never happen to me.”

However, 58% of data breach victims last year were small businesses.

Clearly, greater security and stronger authentication is paramount for every organization, large or small. These are some steps you can take to fortify your identities:

silver-lock
  • Enforce strong identity controls, including strict password requirements
  • Require multi-factor authentication on devices and applications
  • Train employees to use strong, unique passwords
  • Encourage users to implement a password manager

We’ll discuss these steps in greater detail in the third section, Solutions.

Challenge 2: Identity Sprawl

Think about all of the accounts and passwords the average person has today: email, social media, banking, and on and on. The average internet user has a whopping 150 online accounts – and growing.

Identity Sprawl Decreases Security

Identity sprawl creates a chaotic environment that is difficult to secure. When an employee leaves, instead of being able to de-provision access to all resources with one click, IT must be meticulous and de-provision access individually for each resource. One mistake, one little oversight, and someone has access who shouldn’t.

To hackers, identity sprawl looks a lot like opportunity.

People average 150 accounts, but only 5 passwords.
-(Telesign)

So when a third-party hack happens (e.g. LinkedIn, Sony, Target, eBay, Equifax), the passwords for internal accounts are often compromised as well. But, IT has no way of knowing because it exists entirely out of their purview.

Decentralized Identities Reduces Efficiency

At the user level, identity sprawl leads to more time logging in and password reuse (and ringing the help desk when they inevitably can’t remember what password goes to what account). LastPass even discovered that the average user ends up wasting 36 minutes a month, just on typing passwords.

On the admin side, it’s even worse. IT loses centralized control. They make a change in the central user directory, and it ends up propagating to only some IT resources. This requires that the admin keep track of which resources require separate control.

The solution is to consolidate identities, but our next challenge, legacy IAM solutions, is a major roadblock toward that goal.

purple-stop-watch
ad-centralized-before-the-rise-of-the-cloud

Challenge 3: Legacy Identity Management Solutions

Microsoft Active Directory has served valiantly as the core identity provider since its release with Windows® 2000. It earned an early stranglehold on the market and is still in place, commanding 95% of Fortune 1000 companies. But a lot has changed since 1999.

In fact, the dominance of Microsoft AD is the single biggest reason for identity sprawl. AD doesn’t effectively manage devices that don’t run Windows – and the number of Mac and Linux devices has been on the uptick year after year.

Active Directory is also poorly equipped to authenticate SaaS-based identities and other cloud resources. The result is a multiplicity of unmanaged identities. So identity sprawl is stemming directly from companies where the IT department’s hands are tied because they still have to use AD.

The other major legacy directory in place in companies is OpenLDAP™. LDAP is better with Linux and Unix systems than AD, but it has the same difficulties managing cloud infrastructure. Furthermore, OpenLDAP is partial to LDAP (go figure), and so other ascendent protocols like SAML, OAuth, and the re-emergence of RADIUS are out of reach. Same with the ability to manage systems.

Ultimately, as long as these these legacy systems continue to lock companies into their identity management solutions, IT will be unable to keep up with the changing identity landscape.

server-with-purple

Challenge 4: Shadow IT

Shadow IT refers to systems and solutions implemented inside organizations without the IT department’s knowledge or approval.

Shadow IT is:

Widespread

Shadow IT is often 10X more prevalent than expected.*

Risky

By 2020, 30% of attacks will be a result of shadow IT.*

Expensive

Shadow IT accounts for 30%-50% of IT spending.*

Shadow IT leads to gaps in security, chaotic workflows, and a proliferation of unmanaged identities. But that’s not the worst part.

The worst part of Shadow IT is that it is not connected to the core directory structure. Many IT admins have no idea how to connect all of these newly implemented devices, applications, file servers, and networks back to their core directory.

Greg Keller
Chief Strategy Officer, JumpCloud

In other words, Shadow IT is a major factor contributing to the “identity crisis” that IT faces today. Whether its for collaboration, communication, or the transfer of files, Shadow IT means more unmanaged identities.

Shadow IT can also be cast as ‘innovative’ and ‘proactive’. That’s why TechCrunch has said it’s “time to embrace Shadow IT” and why Forbes has opined that “CIOs should be happy about Shadow IT”.

Ultimately, you likely can’t eliminate Shadow IT altogether. The approach must be two-fold:

  1. Train employees about Shadow IT, discouraging risky behavior
  2. Eliminate the need for Shadow IT by improving your IT infrastructure to better accommodate and manage the types of apps and IT resources that are likely to be implemented by rogue innovators
blue-telescope
Windows past

Challenge 5: Vendor Lock-In

The market to manage your identities has never been so competitive. As a result, one of the more subtle factors working against identity management is vendor lock-in. This refers to all of the companies that are trying to woo enterprises into using their platforms (often for free) so that you become dependent on their services. Eventually, this means they can lock you into paying for their other services. As Techbeacon put it, “[Once you’re locked in,] it can be hard to port to another vendor’s platform without considerable effort and cost”.

Where I come from, this is known as “the long con.”

Microsoft, Google, Amazon® …they all know that if they lock up your corporate identities now that you’ll be beholden to them later. These are savvy businesses. Why do you think that they offer so many valuable services for free?

For them, storing your identities (on their infrastructure) means additional revenue elsewhere. For Microsoft, it’s Windows, O365, and Azure. For Google, it’s their G Suite, Chrome/Android, and Google Cloud Platform. For Amazon, it’s AWS and buying goods and services. Often, it is a good a deal for businesses. Who doesn’t like to receive valuable services for free? But being naive about it is a recipe for disaster.

Why? Because they want you to do things their way. Microsoft wants you to use Windows systems. Google wants you to be part of their expansive Google ecosystem and eventually pay for their premium services, such as G Suite. Amazon doesn’t want you to implement any virtual infrastructure apart from AWS.

So naturally they design their infrastructures to be funnels – funnels that eventually guide you to paying for their services and excluding alternatives.

Don’t be a pawn in another player’s game. Understand that your identities are perceived as long-term corporate assets and protect them.

lighbulb-in-suit

PART III: Solutions

Solution 1: Strengthen Security

Enterprise security once meant installing anti-virus software and a firewall. It used to be that easy. Today, security is at least five layers deep, as shown here:

Network Security: firewalls, intrusion detection/ prevention solutions, VPNs, and others.

Device Security: servers, desktops, and laptops.

Application Security: internal and web applications.

Data Security: data at rest and in flight

Identity Security: the core of enterprise security.

Each layer is integral, but identity security is fundamental. That’s because if a hacker can get credentials, then the rest of the security measures can be bypassed. At that point, the hacker is already “inside” and can do as they please. The good news is that there are four steps you can take to significantly bolster identity security.

Require Multi-Factor Authentication

identity-security-chart
computer-purple-lock-and-phone

Conventional passwords no longer cut it. Employees are prone to using the same password across multiple sites, and prone to ignoring best password practices. Even if passwords are long and complex, there’s still the possibility of them being stored in insecure ways.

MFA is an easy way to give some extra peace of mind over your business. With MFA, the standard password is supplemented with another form of authentication, be it a code sent to your phone, a fingerprint, or a retinal print.

This doesn’t make it twice as difficult for hackers. It makes it exponentially more difficult. They not only need something you know, but also something you have. In fact, 80% of breaches could have been prevented if MFA were implemented.

Enforce Password Requirements

A high-end computer can now crack an eight-character password in 5.5 hours.

Luckily, IT has the ability to implement password requirements. Most experts recommend enforcing a 12 character password requirement. At JumpCloud, we recommend at least 16 characters, and ideally, end users would use a randomly generated password that’s even longer.

Factors to Consider for Password Complexity

  • Set length of password
  • Uppercase and lowercase requirements
  • Number requirements
  • Special charactersPassword reuse
SSO Login Screen

Complexity clearly plays a vital role in password security. You can train your employees to make passwords of this length, but people are just people and they are inevitably beset by “password fatigue”. For example, a report from LastPass found that 61% of employees reuse passwords despite 91% of them knowing better. So, encourage your users to leverage a password manager to ensure that passwords meet stringent complexity requirements and increased length.

security-training-purpple-and-teal

Utilize One-Way Hashing and Salting

However you store your identities, they should be one-way hashed and salted. This makes it very difficult for credentials to be decrypted. The best identity stores in the world will use this method of storing credentials.

Implement Regular Security Training

Identities are intrinsically linked to user behavior. When everyone on the team understands the dangers associated with identity sprawl, then everyone is invested in eliminating it and keeping the company secure.

VLAN Tagging

Solution 3: Leverage Cloud Directory Services

Cloud-based directory services have been built from the ground up to manage identities and resources across the cloud and on-prem. G Suite? Check. WiFi networks? Check. AWS, Salesforce, Slack, GitHub and more? Check, check, check, and check.

JumpCloud Directory-as-a-Service (DaaS) integrates seamlessly across on-prem and cloud-based IT resources. One identity can now traverse the plethora of different apps, systems, files, and infrastructure that modern business requires.

Cloud-based directory services offer True Single Sign-On™ for the first time in the modern era.

PART IV: Discovering Your True Identity

When people look back on the trajectory of the Identity and Access Market decades from now, they’ll see 2018-2019 as an inflection point – the moment when identities stopped proliferating out endlessly and began to consolidate back in. The future of identities is simpler, more efficient, and more secure.

The future of identities is in the cloud. As more and more resources move to the cloud, there’s no way around the fact that it is the most efficient way to manage identities.

air-plane-with-cloud

But what about security? It may seem that the cloud is an easy target, but with correct security practices applied to the cloud, the opposite is in fact true. In March 2018 Gartner reported, “In 2018, the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures. Through 2020, public cloud infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centers.”

So move forward into the new world of Cloud Identity Management with confidence. High costs and insufficient management are in the rear-view. Better security and True SSO lie ahead.

If you would like to learn more about how Directory-as-a-Service solves today’s identity management challenges, you can sign up for free or request a demo.

About JumpCloud

JumpCloud® Directory-as-a-Service® is Active Directory® and LDAP reimagined. JumpCloud securely manages and connects your users to their systems, applications, files, and networks. Try JumpCloud’s cloud-based directory at jumpcloud.com or contact us at 855.212.3122.