19 January 2016

Access Control and Single Sign-On: A Global Approach

How to protect business data without imposing onerous authentication processes on employees is a challenge that most businesses have or will face. Single Sign-On (SSO) solutions alleviate this by managing access to multiple applications using a single login and password.

Choosing the right SSO solution can be hard and depends on the company’s existing IT environment, objectives and priorities. Often, companies have to maintain, operate, supervise and audit multiple solutions and for historical reasons, may already have separate SSOs already in place to cover different concerns.

From a cost and simplicity perspective, implementing a Global SSO solution makes a lot more sense. Covering every specific SSO challenge from a single platform, Global SSO allows organisations to invest at their own pace, while leveraging previous investments and creating a global coverage model. To find out why this is important, it’s crucial to be aware of today’s SSO landscape.

Review of the SSO landscape today 

Enterprise SSO or eSSO

Often, the main driver in implementing eSSO is to make users’ lives easier. It works by deploying one or more components on workstations, connected to organisation’s IT systems. eSSO then injects secondary credentials, such as users’ logins and passwords into applications which have previously been ‘enrolled’. It is particularly useful if you need to secure access to a range of assorted applications. However it does require a specific installation on each workstation by the IT department.

Web Access Management (WAM or Web SSO)

WAM is designed to secure web-based architectures such as extranet/intranet portals. Although WAM only applies to web applications, it generally enforces a stronger level of security than eSSO due to the implementation of advanced access control rules. Unlike eSSO, it does not require deployment on each workstation, but may sometimes require specific developments at the application level.

Identity Federation

Technically, Identity Federation is a way to operate web SSO authentication using industry standard protocols (SAMLv2, OAuth2, OpenID Connect, and WS-Federation). From a business perspective, its main benefit is that it allows different legal entities to safely exchange authentication and access rights information, providing users with a single secure authentication experience between distinct web domains. Within the extended enterprise this spares companies from having to manage their partners' identities. It also helps set up specific identity management infrastructures for each operational entity within a complex organisation.

Mobile SSO

Mobile SSO provides SSO functions to mobile devices, securing access via these devices to applications within an organisation’s IT systems. This market has recently been stimulated by the boom in mobile devices and their impact on business usage. Currently, many companies rely on specific developments for mobile SSO due to the lack of alternative solutions on the market.

Global SSO: a new generation of SSO

There is another option; now organisations can benefit from a single common infrastructure to operate and supervise authentication and access. Global SSO operates a single administration interface to configure every instance of SSO, along with a single audit point providing traceability of all user access across all IT applications. This offers a potential holy grail for IT departments, with a 360-degree view of access to the IT systems. Before organisations start any SSO project, it is necessary to carefully consider the interdependencies of data, applications and devices. A Global SSO solution can not only cover the companies' short term needs, but it can also become part of a long term strategic access management approach, providing the right features in a scalable and iterative manner.

5 January 2016

How quickly do you close dormant accounts? New research raises concerns for businesses leaving the door open

Commissioned by Ilex, the latest YouGov research uncovered the reality of orphan accounts and the security risks posed for British businesses. The survey found that 39 percent of large businesses took a few days to a month to close dormant accounts, raising serious concerns for British businesses.  Taking time to close dormant accounts leaves businesses open to a cyberattack, either by a malicious ex-employee, contractor, partner or an opportunistic hacker.

The study also found that five percent waited up to a week, three percent within a fortnight and eight percent confessed to only removing access within a month after departure. Immediate termination on or before the day of departure is even worse for small and medium size businesses. These results are worrying, as disgruntled employees or partners are unlikely to wait until a month after leaving to access confidential company information.

Despite the fact that the cost of cybersecurity to the UK economy is expected to grow, the research found that only 11 percent of businesses surveyed expect a data security breach in 2016. Large businesses were the most wary, with 30 percent expecting a breach, compared to 24 percent of medium and only six percent of small businesses. With the number of new employees expected to increase over the coming months, hiding from the truth is not an option. 

According to the Online Alliance Trust, almost one-third of data breaches in 2014 were caused either accidentally or maliciously by employees. Research published by the Sans Institute in April 2015 shows that while insider threats are a key concern for security professionals, 40 percent of businesses polled had no systems in place to address this concern, while 32 percent said they lacked appropriate policies and procedures to deal with insider threats.

You can find further details on of the account access and termination research findings here.

This follows on from Ilex International’s ‘Breach Confidence Index’ which uncovered the confidence levels of British businesses against a data security breach and reveals the primary reasons why businesses have suffered a breach.