Cloud-based storage systems and applications are now a huge part of how business operates. The shift towards using cloud computing has resulted in an increase in Software as a Service (SaaS) and Platform as a Service (PaaS) applications.
Using cloud software and applications alleviates the burden of updating services, managing downtime and staffing an in-house IT department. It’s also cost-effective, with many providers offering fixed-cost monthly subscriptions allowing you to pay only for what you use.
Getting the most out of SaaS/PaaS means striking a balance between providing users with enough access to do their job while at the same time protecting company data and resources. A robust identity management and access control policy will reduce security risks, increase efficiency and ensure compliance with regulations that govern the privacy of personal data.
Creating and managing users involves deciding who can access what and how. Individual users can be assigned Single Sign-On (SSO) capabilities and often need to access company resources across a range of platforms and applications on-site and remotely. Advanced security measures that require more than single step sign-in are also available. Multi-factor authentication (MFA) provides an extra layer of safety. For example, in addition to the traditional username and password, users may need to enter a code received by text, or use a smart card or fingerprint.
Directory services or identity providers can create, maintain and manage identity information. Microsoft Active Directory is an IdP developed for Windows domain networks. Active Directory is an umbrella title for a broad range of directory-based identity-related services. In many cases, user information is sourced from different repositories. Identity providers must not only manage identities in different systems but also be able to synchronise information and provide a single source of truth when required.
With so many services, applications and platforms and so much security at stake, the composition of an efficient identity management policy can appear daunting. The process can, however, be simplified by considering four basic factors.
List the assets you need to protect when implementing your identity management and access control system. Databases, customer and employee information, company statistics, software, transaction information; these are precious commodities. The purpose of identity management and access control is to confer those who need it with maximum access to these assets at minimum risk.
Now that you know what you have, classify all your assets according to their value. The value of an information asset pertains to how damaging it would be to have that data or application altered or accessed by a non-authorised person. For example, identity theft is a serious and common crime.
Databases containing customer and employee information might, therefore, be considered high risk. For assets such as these, you might consider investing in a multi-factor authentication (MFA) service.
Assessing the risk of each asset will provide a foundation for deciding how protected each one should be, who should access it and how.
Your choice of management system will depend on what systems you are currently using. Microsoft Active Directory is a popular management system for those operating with Windows. If you use an OS such as Unix or Linux, Lightweight Directory Access Protocol (LDAP) might be the application for you.
No matter what computer infrastructure your business is using, there is a compatible access management programme available with options for even the most diverse platforms.
Having assessed your company’s data and assets and chosen your management system, it’s now time to implement your identity management and access control strategy. Users should be aligned with an appropriate level of access that affords convenience and security.
Depending on staff numbers and distribution, you may decide to allow remote access to certain applications. If there are multiple applications with different user id and password systems, an enterprise-wide single sign-on (SSO) system would be advantageous. SSO products range from Imprivata (used by medium-sized companies) to IBM’s Tivoli (for larger companies).
Once established, your identity management system should provide the flexibility to modify the access levels of its users. Rights of access can be conferred in blocks by establishing groups with specific privileges reflecting job function or staff locations. Other employees will need customised access. Request and approval procedures for modifying privileges should be built-in to your access management programme.
Identity management technologies represent the keys to your castle; they allow you to protect your business, manage user identities and access permissions in an automated fashion. A clear and universally upheld identity management policy will allow your company to extract the very best of what these digital keys have to offer.
If you’d like to discuss ways to better manage identities and access in your company, talk to Spector about the different ways we can help.