The use of cloud-based solutions, business applications and other online services is greater than ever before. As organizations increasingly turn to SalesForce, Slack and GitHub, just to name a few, it’s critically important that they manage and protect a user’s multiple accounts to avoid unnecessary security risk.
Identity and access management (IAM) solutions can help simplify authentication, but they must be secured – just like domain controllers need to be locked down. If an IAM solution is compromised, the network will be compromised as well.
This blog provides a technical overview of IAM and the risks associated when IAM on-premises agents are not properly secured. It also explores security recommendations and mitigation to keep IAM solutions safe.
IAM Overview
People often think of an IAM solution as a single sign-on (SSO) solution, which is understandable because SSO is a main feature of IAM. The SSO functionality allows a user to login to the organization’s IAM homepage once, displaying all the applications the user has access to, as shown in the illustration below (figure 1). When the user then clicks on the desired app, they are quickly redirected to the application without needing to provide any credentials.
IAM as an SSO Solution
With the rapid adoption of cloud solutions and services, IT and security teams have a record numbers of accounts to manage and monitor. Similarly, users – or employees – have many different credentials to remember. This reality forces users to either remember many different passwords or use the same set of credentials for multiple applications. Using the same set of credentials is, of course, a very bad practice that may lead to the compromise of all apps and associated data once one password is compromised.
Identity providers (IdP) eliminate the need for multiple user accounts. Identity provider services like the ones provided by Google and Facebook are trusted by applications to provide proof of identity, eliminating the need for creating new user accounts for each application.
So why isn’t Active Directory (AD,) the de-facto IdP for enterprises, enough for organizations? The reason is that cloud services and application do not necessarily have a network connection to AD. Even if they did, such setup might expose the domain.
To solve this problem, organizations use IAM solutions as an IdP. To act as an IdP, the IAM solution must either have a user database of its own or synchronize with an existing user database – an AD, for example. The simplest way is to connect the IAM to an existing users database (the AD) by installing agents in their on-premises environment.
In that case, the “kingdom” is expanding, as precious user data and passwords are shared with the IAM solution. We may say that IAM solutions act like a read-only cloud domain controller (RODC).
Some IAM solutions also can act as a read-write DC using an option called provisioning. Hence, the users created by the IAM will be created in the domain. This is done by installing on-prem agents that synchronize the AD and the cloud-based IAM solution.
SSO isn’t an IAM’s only functionality, however.
IAM as a Universal Directory
The IAM solution can also be used as a universal directory since it can integrate and manage all of the organization accounts from various directories. For organizations with multiple user directories, an IAM solution can be a real life saver as it allows the business to manage all users with one tool – the IAM admin dashboard.
IAM provides a way to update user information, create new users, change users passwords and more. We can think of an IAM as an AD on steroids. For example, multiple sources for users such as HR systems, Office 365 and AD can integrated and be managed by the IAM.
IAM as an Access Management Tool
IAM solutions are not just an extension to AD. IAM enables the “right” individuals to access the “right” resources at the “right” time and for the “right” reasons.
Hence, this is not only about authentication, but also about authorization. Administrators can configure user access to applications integrated with IAM using the admin dashboard.
IAM and Multi-Factor Authentication
IAM solutions are an extension to our kingdom. As such, security controls must be deployed to protect this extension.
One of the most efficient security controls is multi-factor authentication (MFA). Some IAM solutions have their own MFA implementations and most, if not all solutions, have integrations with different MFA solutions – like DUO, RSA SecurID and Google Authenticator.
MFA is not a bulletproof mitigation, but it certainly can eliminate many attack vectors, some of which we explore in detail later in this post.
No comments:
Post a Comment