Part Ⅰ: Overview
The New Identity
Let’s start by taking a look at everything IT is supposed to provision access to in the modern era:
Internal Apps: Developed in-house and stored on-prem
Third Party Apps (SaaS): E.g. Salesforce, G Suite™, O365™, GitHub, Slack
Cloud Infrastructure: Cloud servers from AWS®, Azure®, and GCP™
WiFi: The all-important Internet
Documents/Files: Texts, spreadsheets, pdfs, and reports
Systems: Windows®, Mac®, and Linux® Systems
For years, IT has tried to use existing identity management systems to manage this jumble of new IT resources, even though that means a proliferation of unmanaged identities. The “identity crisis” has been simmering for a decade now, and it’s about to reach a boil. IT admins around the world are getting overwhelmed and fed up.
Here’s the good news. When a problem gets big enough, people have to stop ignoring it. In the last few years, there have been some concerted efforts to create better identity management solutions for the enterprise.
We are on the brink of an identity revolution – and if you take advantage of it now, you won’t just make life easier for everyone in the IT department, you’ll get a leg up on the competition because your entire team will be more productive – and secure.
Categories of the Identity
and Access Market
What's in your IAM Strategy?
(Check the boxes to see how your organization adds up)
Part Ⅱ: Challenges
Challenge 1: Vulnerable Identities
Weak or stolen credentials were used in 81% of hacking related breaches.
Everyone likes to say, “It will never happen to me.” However, 58% of data breach victims last year were small businesses.
Clearly, greater security and stronger authentication is paramount for every organization, large or small. These are some steps you can take to fortify your identities:
- Enforce strong identity controls, including strict password requirements
- Require multi-factor authentication on devices and applications
- Train employees to use strong, unique passwords
- Encourage users to implement a password manager
We’ll discuss these steps in greater detail in the third section, ‘Solutions’.
Challenge 2: Identity Sprawl
Think about all of the accounts and passwords the average person has today: email, social media, banking, and on and on. The average internet user has a whopping 150 online accounts – and growing.
This is called ‘identity sprawl’ and it is even worse at workplaces where you have to factor in a variety of internal and SaaS-based apps. Users have a different account for Slack, Office 365™, Salesforce, GitHub, G Suite™, and many more. Aside from being a headache from a compliance perspective, identity sprawl hurts companies in two big ways.
Identity Sprawl Decreases Security
Identity sprawl creates a chaotic environment that is difficult to secure. When an employee leaves, instead of being able to deprovision access to all resources with one click, IT must be meticulous and de-provision access individually for each resource. One mistake, one little oversight, and someone has access who shouldn’t.
To hackers, identity sprawl looks a lot like opportunity.
So when a third-party hack happens (e.g. LinkedIn, Sony, Target, eBay, Equifax), the passwords for internal accounts are often compromised as well. But, IT has no way of knowing because it exists entirely out of their purview.
Decentralized Identities Reduce Efficiency
At the user level, identity sprawl leads to more time logging in and password reuse (and ringing the help desk when they inevitably can’t remember which password goes to what account). LastPass even discovered that the average user ends up wasting 36 minutes a month, just on typing passwords.
On the admin side, it’s even worse. IT loses centralized control. They make a change in the central user directory, and it ends up propagating to only some IT resources. This requires that the admin keep track of which resources require separate control.
The solution is to consolidate identities, but our next challenge, legacy IAM solutions, is a major roadblock toward that goal.
Challenge 3: Legacy Identity Management Solutions
Microsoft Active Directory has served valiantly as the core identity provider since its release with Windows® 2000. It earned an early stranglehold on the market that is still in place, commanding 95% of Fortune 1000 companies. But a lot has changed since 1999.
In fact, the dominance of Microsoft AD is the single biggest reason for identity sprawl. AD doesn’t effectively manage devices that don’t run Windows – and the number of Mac and Linux devices has been on the uptick year after year.
Active Directory is also poorly equipped to authenticate SaaS-based identities and other cloud resources. The result is a multiplicity of unmanaged identities. So identity sprawl is stemming directly from companies where the IT department’s hands are tied because they still have to use AD.
The other major legacy directory in place at companies is OpenLDAP™. LDAP is better with Linux and Unix systems than AD, but it has the same difficulties managing cloud infrastructure. Furthermore, OpenLDAP is partial to LDAP (go figure), and so other ascendent protocols like SAML, OAuth, and the re-emergence of RADIUS are out of reach. Same with the ability to manage systems.
Ultimately, as long as these legacy systems continue to lock companies into their identity management solutions, IT will be unable to keep up with the changing identity landscape.
Challenge 4: Shadow IT
Shadow IT refers to systems and solutions implemented inside organizations without the IT department’s knowledge or approval.
Shadow IT is:
Shadow IT is often 10X more prevalent than expected.Case Study
By 2020, 30% of attacks will be a result of shadow IT.Case Study
Shadow IT accounts for 30%-50% of IT spending.Case Study
In other words, Shadow IT is a major factor contributing to the “identity crisis” that IT faces today. Whether it's for collaboration, communication, or the transfer of files, Shadow IT means more unmanaged identities.
Ultimately, you likely can’t eliminate Shadow IT altogether. The approach must be two-fold:
- Train employees about Shadow IT, discouraging risky behavior
- Eliminate the need for Shadow IT by improving your IT infrastructure to better accommodate and manage the types of apps and IT resources that are likely to be implemented by rogue innovators
Challenge 5: Vendor Lock-In
The market to manage your identities has never been so competitive. As a result, one of the more subtle factors working against identity management is vendor lock-in. This refers to all of the companies that are trying to woo enterprises into using their platforms (often for free) so that you become dependent on their services. Eventually, this means they can lock you into paying for their other services. As Techbeacon put it, “[Once you’re locked in,] it can be hard to port to another vendor’s platform without considerable effort and cost”.
Where I come from, this is known as “the long con.”
Microsoft, Google®, Amazon® …they all know that if they lock up your corporate identities now that you’ll be beholden to them later. These are savvy businesses. Why do you think that they offer so many valuable services for free?
For them, storing your identities (on their infrastructure) means additional revenue elsewhere. For Microsoft, it’s Windows, O365, and Azure. For Google, it’s their G Suite, Chrome/Android, and Google Cloud Platform. For Amazon, it’s AWS and buying goods and services. Often, it is a good deal for businesses. Who doesn’t like to receive valuable services for free? But being naive about it is a recipe for disaster.
Why? Because they want you to do things their way. Microsoft wants you to use Windows systems. Google wants you to be part of their expansive Google ecosystem and eventually pay for their premium services, such as G Suite. Amazon doesn’t want you to implement any virtual infrastructure apart from AWS.
So naturally they design their infrastructures to be funnels – funnels that eventually guide you to paying for their services and excluding alternatives.
Don’t be a pawn in another player’s game. Understand that your identities are perceived as long-term corporate assets and protect them.
Part Ⅲ: Solutions
Solution 1: Strengthen Security
Enterprise security once meant installing anti-virus software and a firewall. It used to be that easy. Today, security is at least five layers deep, as shown here:
Network Security: firewalls, intrusion detection/ prevention solutions, VPNs, and others.
Device Security: servers, desktops, and laptops.
Application Security: internal and web applications.
Data Security: data at rest and in flight.
Identity Security: the core of enterprise security.
Each layer is integral, but identity security is fundamental. That’s because if a hacker can get credentials, then the rest of the security measures can be bypassed. At that point, the hacker is already “inside” and can do as they please. The good news is that there are four steps you can take to significantly bolster identity security.
Require Multi-Factor Authentication
Conventional passwords no longer cut it. Employees are prone to using the same password across multiple sites, and prone to ignoring best password practices. Even if passwords are long and complex, there’s still the possibility of them being stored in insecure ways.
MFA is an easy way to have some extra peace of mind over your business. With MFA, the standard password is supplemented with another form of authentication, be it a code sent to your phone, a fingerprint, or a retinal print.
This doesn’t make it twice as difficult for hackers. It makes it exponentially more difficult. They not only need something you know, but also something you have. In fact, 80% of breaches could have been prevented if MFA were implemented.
Enforce Password Requirements
A high-end computer can now crack an eight-character password in 5.5 hours.
Luckily, IT has the ability to implement password requirements. Most experts recommend enforcing a 12 character password requirement. At JumpCloud, we recommend at least 16 characters, and ideally, end users would use a randomly generated password that’s even longer.
Factors to Consider for Password Complexity
- Set length of password
- Uppercase and lowercase requirements
- Number requirements
- Special characters
- Password reuse
Complexity clearly plays a vital role in password security. You can train your employees to make passwords of a certain length, but people are just people and they are inevitably beset by “password fatigue.” For example, a report from LastPass found that 61% of employees reuse passwords despite 91% of them knowing better. So, encourage your users to leverage a password manager to ensure that passwords meet stringent complexity requirements and increased length.
Utilize One-Way Hashing and Salting
However you store your identities, they should be one-way hashed and salted. This makes it very difficult for credentials to be decrypted. The best identity stores in the world will use this method of storing credentials.
Implement Regular Security Training
Identities are intrinsically linked to user behavior. When everyone on the team understands the dangers associated with identity sprawl, then everyone is invested in eliminating it and keeping the company secure.
Solution 2: Don’t Use Apps for Your Directory Service
Some small startups are bypassing traditional on-prem directories altogether. Instead, they’re leveraging SaaS-based apps as their core identities. Using identities from SaaS apps like G Suite or Office 365/Azure Active Directory can be effective for other cloud resources while requiring little investment and maintenance from IT departments.
The only problem with this is that solutions like G Suite Directory and Azure AD weren’t built to be true directory services. They don’t offer the degree of control required from an identity provider, nor do they connect to a wide variety of IT resources. After all, can end users solely leverage web-based applications to accomplish all of their work? No, they also need a Mac, Windows, or Linux system, an internet connection, file storage and access to cloud servers at AWS. Manually adding user profiles to each of these resources is time consuming, prone to human error, and encourages password fatigue. Additionally, IT admins will lack the control they need to centrally enforce security best practices like MFA, increasing the risk of a breach. You are better off using a true directory service that will help your organization stay secure and agile.
Solution 3: Leverage Cloud Directory Services
Cloud-based directory services have been built from the ground up to manage identities and resources across the cloud and on-prem. G Suite? Check. WiFi networks? Check. AWS, Salesforce, Slack, GitHub and more? Check, check, check, and check.
JumpCloud® Directory-as-a-Service® (DaaS) integrates seamlessly across on-prem and cloud-based IT resources. One identity can now traverse the plethora of different apps, systems, files, and infrastructure that modern business requires.
Cloud-based directory services offer True Single Sign-On™ for the first time in the modern era.
Part Ⅳ: Discovering Your True Identity
When people look back on the trajectory of the Identity and Access Market decades from now, they’ll see 2018-2019 as an inflection point – the moment when identities stopped proliferating out endlessly and began to consolidate back in. The future of identities is simpler, more efficient, and more secure.
As more and more resources move to the cloud, there’s no way around the fact that it is the most efficient way to manage identities.
But what about security? It may seem that the cloud is an easy target, but with correct security practices applied, the opposite is true. In March 2018 Gartner reported, “In 2018, the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures. Through 2020, public cloud infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centers.”
So move forward into the new world of Cloud Identity Management with confidence. High costs and insufficient management are in the rear-view. Better security and True SSO lie ahead.