As the workforce becomes more mobile and more critical enterprise applications are hosted in the cloud, identity and access management (IAM) grows increasingly important to help assure secure remote access to organizations’ web applications and data. When employees move around from network to network and repeatedly swap devices, their risk characteristics change. Currently, we take a binary approach to IAM, where access is granted or denied, and it’s no longer sufficient.
Web-based applications and enterprise mobility usher in new risks, but there are business benefits to keep in mind: employees are likely to be more productive – from any location – and responsive to urgent requests. This has driven an exponential increase in the number of identities that IT administrators have to manage in order to mitigate the associated risks.
Managing authentication and authorization for multiple web applications should be a priority for businesses. Today’s enterprise cloud IAM solutions have evolved from simple password management to some combination of Single Sign-On (SSO), two-factor authentication (2FA) and auditing. But without all three capabilities, an entire organization is vulnerable and susceptible to data theft. For example, SSO helps resolve the password management issue as web applications multiply, but what users do within web applications once they are authenticated goes un-audited. With today’s global mobile workforce, devices require dynamic IAM that enables productivity and diverse security without exposing employers to data breaches.
Dynamic IAM balances security with convenience
Dynamic IAM provides today’s workforce with a more flexible approach, effectively identifying the middle-ground for tackling new risks without compromising accessibility and productivity. With context-based authentication, trust is defined by contextual elements such as user role, geolocation, device type, device health, and network. Trust is considered against the value of the asset that the user wishes to access – not just the entry of an accurate password.
Dynamic IAM also offers continuous protection across virtually all devices – every time a user logs into a web application, context-based authentication takes into account current contextual factors. Once access has been granted, the administrator has the option to create an audit trail capturing every interaction with web-based applications, enabling compliance with industry-specific security frameworks.
For example, if a user logs in from the same device, network and location using the same 2FA that he or she has used for three years, then it is more probable that the access request is from the genuine user. However, if authentication is attempted from a new device and the first two attempts at entering the password are incorrect, then it is more likely that identity fraud is being attempted and the authentication process should be stepped up to reflect the increased risk. The next step is to manage and audit what users can do within the application once they are authenticated. Context-based authorization can restrict access to features such as download, share and export depending on user, location and device.
As the mobile workforce continues to expand, the surge of web and mobile applications, and demand for constant connectivity frees employees from their desks. With context-based authentication according to the level of risk posed by the user, organizations can provide flexibility and increase security without relinquishing control.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.