When it comes to managing user identity and access permissions, enterprises encounter problems of scale as well as control. The number of applications per large company (defined as having over 2,000 employees) has grown by almost 70 percent since 2015. By 2019, companies with 200-500 employees were running approximately 123 SaaS applications. And by the end of 2020, over 70% of all companies will be running SaaS apps exclusively.
In the past, it was possible to create a tailored set of applications for each group within your organization and assign people to the relevant groups using a tool like Active Directory. Recently, however, enterprise roles have become more granular — there are more applications, groups are smaller, and cross-functional roles such as DevOps mean that many members of your workforce frequently shift responsibilities.
In short, you have more apps, smaller groups, and more flexible roles. If you want to improve security and lighten the IT workload, switching to a modern IAM solution is the best way to go.
Level Set – What is IAM and How Does it Work?
Identity and access management (IAM) is about managing the way your users are allowed to use tools and access data belonging to your organization. To this end, every user in the organization is assigned a well-defined role. An accountant, for example, might be granted access to a suite of record-keeping software, plus the ability to view and edit certain financial records. However, they would not be allowed access to resources such as software development tools or healthcare records.
Managing access is important for many reasons:
- Regulations such as HIPAA restrict access to healthcare records by individuals who aren’t involved in healthcare decisions.
- Security best practices stipulate that as few people as possible should be able to access corporate IP, social security data, and other sensitive data to safeguard against theft or misuse.
- Once an employee leaves the company, they should be immediately barred from accessing any company data or resources.
IAM enables administrators to assign levels of access to individual users – or to assign a user to a group that needs the same tools and access privileges. It also allows administrators to monitor user activities – where and when they log in, what files and tools they access, and so on. If a user begins to misuse their privileges, the administrator can revoke access or bar certain actions – like copying mission-critical files.
What are the Benefits of IAM Solutions?
Let’s say a new hire is starting work today. Would you rather:
- Manually assign permission for them to access the tools that they need – email, productivity suite, CRM, and more – plus several file shares, making sure to provide read-only access to some and full access to others
- Assign them to a role called “sales” which automatically gives them everything described above
This is just one benefit of IAM. In a large organization, it is essential to onboard employees efficiently. And for high-turnover jobs like sales or support, offboarding must be streamlined as well – you should be able to simply select the departing employee’s name, uncheck a box, and be confident that they can no longer access relevant apps and files.
Convenience and productivity are just one part of what IAM can provide. Security is the other.
Let’s say that a new hire at a medical center is asked to email some healthcare information. This is prohibited by HIPAA, but neither the employee nor the person requesting it knows this. When the employee tries to access and email the information, the IAM solution can block their access, prevent copying, or stop them from attaching it to an email. It can also alert the IT manager so they can deliver a timely (and much needed) lecture about privacy laws.
In another scenario, let’s say that your new hire works from a café one day and picks up a virus from an Evil Access Point, enabling an attacker to steal your employee’s credentials. The obvious next step is to log in to your network. Your IAM solution will flag the fact that the individual is using a different computer than usual, logging in from a different location, and logging in at 3:00 AM, an atypical time. Your IAM solution decides to require MFA in order to log in – in this case, a secure USB token that the hacker can’t possibly have. The result? The attacker cannot log in and a breach is prevented.
What are the Key Components of an IAM Solution?
Now that we’ve described how an IAM solution can stop attackers, prevent data breaches, and make your job easier, you probably see how an IAM can benefit your organization. Keep in mind that not every IAM solution has the same features. When looking for an IAM solution, seek one with these capabilities:
- Authentication: Determines if the person logging in is who they claim to be. Usernames and passwords are no longer sufficient for this purpose, however. Look for a solution that integrates multi-factor authentication as well.
- Authorization: This associates users’ access to resources with one or more given systems. Since the average company has many more resources than they did just a few years ago, and users often use their personal devices as well to access organizational resources, it is important to choose a tool that can send alerts and mitigate harm if user access deviates from expectations.
- User Management: This is the quality-of-life feature that lets IT managers quickly add and remove users and assign access to applications. Since virtually every organization uses many more SaaS applications than they did even a few years ago, a solution that will seamlessly integrate with newer SaaS apps is essential.
Carefully considering these three elements will help you choose a robust IAM solution. It will help you protect your organization, avoid data breaches, and prevent access creep – better and more easily than ever before. And remember, IAM is only part of a multi-layered security strategy that you need to have in place to protect your organization.
Other key tools and technologies that you need to consider along with IAM are Remote Browser Isolation (to secure your employees’ access to the web) and Software-Defined Perimeter (to secure your employees’ access to applications). Coupling effective IAM with Software-Defined Perimeter and Remote Browser Isolation is a great way to improve your threat prevention capabilities.