So far we have explored why organizations are considering implementing identity and access management solutions, as well as what they need to protect and who needs to have access to those applications. Implementing access management is all about ensuring that the right people have the proper access to applications under the right conditions.
It is quite rare in today’s business landscape for corporate environments to be isolated or contained to one physical location, or to do business centrally. If you have the luxury of managing a centralize organization there are still external factors that you need to be considering as you think about your IAM implementation, sometimes the smallest environments have the most complexity.
The solution that you implement should not only consider WHO and WHAT needs to be protected, but have the ability to create access controls around WHERE the access attempts are coming from.
And regardless if you are a big multi-national corporation or a small local business, the chances are the budgets are constrained and the IT teams have multiple projects in the works. Teams are tasked to do more with less, even though studies show that many organizations are allocating higher budgets for access management solutions.
In the Identity and Access Management Index 2018 study that we completed found that spending on access management has increased 45%. Teams are still faced with stringent project timelines which makes finding an IAM solution that is easy to manage and deploy is crucial as you consider WHEN you need to have a solution in place and your budget allocated.
When thinking about the question of where you need to consider a couple of things. Where are your applications? Where are your users? Do you have multiple offices? Do you leverage remote contract workers? Do you have mobile users? Do you do business in certain countries? Are you going to allow mobile access to resources? How are you monitoring and protecting against traffic coming into your environment from countries where you know you don’t have any workers?
Today’s workforce is increasingly more diverse and mobile than ever before, and users need access to corporate resources regardless of where they are. Workers are rarely in a corporate office and they don’t have time always to open their laptop, connect to a vpn, log in to the corporate file share in order to pull down and send documents that are needed. With that in mind the IAM solution that you implement should offer accessibility without compromising security.
Your remote and mobile workers should have access to all of their applications through an accessible user portal, where you can add strong authentication against sensitive resources. Offering flexible authentication methods becomes an important part of this solution which we will explore further when we consider HOW you are going to enforce and implement your IAM solution.
The Identity and Access Management Index 2018 report revealed that only 43% of respondents were securing their external users with strong authentication and nearly nine in ten respondents say their organization restricts users from accessing corporate resources from mobile devices on some level, however, slightly worryingly, only 35% report their organization has complete restrictions in place.
The solution that you select should give you the ability to set different policies if your users are coming from the corporate office, from an outside source, or mobile device. Stronger controls should be in place for requests coming from outside, so that you can validate the identity and the source of the request.
If your external third parties are from certain geographic regions you should be able to restrict access requests to users within that geo location. Similarly you should have the flexibility to be able to restrict or deny traffic trying to access your applications from undesired geographic locations.
You need a solution that grants you visibility into where requests are coming from and has policies which can evaluate risk from certain access sources. The ability to have different access policies and authentication requirements from trusted versus non trusted entities and locations provides that desired balance of usability and security. Further to that having the ability to deny traffic from mobile devices or undesired countries serves to further strengthen any network controls that you have in place. The solution that you select should be as versatile as your business.
Project timelines are generally the largest obstacle when looking at implementation of any new security policy or guideline. So consider if there are specific deadlines which you need to meet for compliance regulations? What are your internal targets for an implemented solution? What other projects are on the go that need to be balanced? Do you have upcoming security audits? Does your budget have a timeline?
As organizations become more open to the adoption of cloud applications it makes sense to consider a cloud based IAM solution or selecting a vendor who offers IDAAS. Cloud based solutions mean reduced infrastructure investments and generally they can be deployed rapidly across an organization regardless of their size. A solution that offers automation and provides the ability to deploy blanket access policies is ideal and will significantly reduce the number of IT resources needed to implement a strong security solution. By understanding what your timelines are for budget spend and implementation you can narrow the scope of the solutions that you consider.
Your infrastructure consists of a lot of moving parts and applications, you will want to select a solution that has template based integrations out of the box to ensure smooth and rapid deployment. The IAM solution that you choose should also enable you to integration using SAML, RADIUS and API methods so that you can protect all of the technologies in your environment.
In thinking about deploying an IAM solution we have covered the 5W’s – WHY, WHO, WHAT, WHERE, and WHEN so far in this blog series, but perhaps the most important thing to consider is HOW you are going to implement a solution and HOW you are going to protect your users, we will explore this further in our next post.
Learn how Gemalto’s access management solutions can enable you to establish controls around the source of the access attempts to your organization and how our cloud-based SafeNet Trusted Access solution offers you a solution to meet your budgetary and project timelines.
*** This is a Security Bloggers Network syndicated blog from Enterprise Security – Gemalto blog authored by Amanda Rogerson. Read the original post at: https://blog.gemalto.com/security/2018/07/10/considering-access-management-part-3/